--- /dev/null
+From 003e6b56d780095a9adc23efc9cb4b4b4717169b Mon Sep 17 00:00:00 2001
+From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+Date: Mon, 17 Jul 2023 19:33:45 +0800
+Subject: ACPI/IORT: Remove erroneous id_count check in iort_node_get_rmr_info()
+
+From: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+
+commit 003e6b56d780095a9adc23efc9cb4b4b4717169b upstream.
+
+According to the ARM IORT specifications DEN 0049 issue E,
+the "Number of IDs" field in the ID mapping format reports
+the number of IDs in the mapping range minus one.
+
+In iort_node_get_rmr_info(), we erroneously skip ID mappings
+whose "Number of IDs" equal to 0, resulting in valid mapping
+nodes with a single ID to map being skipped, which is wrong.
+
+Fix iort_node_get_rmr_info() by removing the bogus id_count
+check.
+
+Fixes: 491cf4a6735a ("ACPI/IORT: Add support to retrieve IORT RMR reserved regions")
+Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
+Cc: <stable@vger.kernel.org> # 6.0.x
+Acked-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Tested-by: Hanjun Guo <guohanjun@huawei.com>
+Link: https://lore.kernel.org/r/1689593625-45213-1-git-send-email-guanghuifeng@linux.alibaba.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/arm64/iort.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/acpi/arm64/iort.c
++++ b/drivers/acpi/arm64/iort.c
+@@ -998,9 +998,6 @@ static void iort_node_get_rmr_info(struc
+ for (i = 0; i < node->mapping_count; i++, map++) {
+ struct acpi_iort_node *parent;
+
+- if (!map->id_count)
+- continue;
+-
+ parent = ACPI_ADD_PTR(struct acpi_iort_node, iort_table,
+ map->output_reference);
+ if (parent != iommu)
--- /dev/null
+From 8019a4ab3d80c7af391a646cccff953753fc025f Mon Sep 17 00:00:00 2001
+From: Pavel Asyutchenko <svenpavel@gmail.com>
+Date: Thu, 27 Jul 2023 01:37:32 +0300
+Subject: ALSA: hda/realtek: Support ASUS G713PV laptop
+
+From: Pavel Asyutchenko <svenpavel@gmail.com>
+
+commit 8019a4ab3d80c7af391a646cccff953753fc025f upstream.
+
+This laptop has CS35L41 amp connected via I2C.
+
+With this patch speakers begin to work if the
+missing _DSD properties are added to ACPI tables.
+
+Signed-off-by: Pavel Asyutchenko <svenpavel@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230726223732.20775-1-svenpavel@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9580,6 +9580,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401),
+ SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS),
+ SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC),
++ SND_PCI_QUIRK(0x1043, 0x1d1f, "ASUS ROG Strix G17 2023 (G713PV)", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401),
+ SND_PCI_QUIRK(0x1043, 0x1d4e, "ASUS TM420", ALC256_FIXUP_ASUS_HPE),
+ SND_PCI_QUIRK(0x1043, 0x1e02, "ASUS UX3402", ALC245_FIXUP_CS35L41_SPI_2),
--- /dev/null
+From d510acb610e6aa07a04b688236868b2a5fd60deb Mon Sep 17 00:00:00 2001
+From: Luka Guzenko <l.guzenko@web.de>
+Date: Tue, 25 Jul 2023 13:15:09 +0200
+Subject: ALSA: hda/relatek: Enable Mute LED on HP 250 G8
+
+From: Luka Guzenko <l.guzenko@web.de>
+
+commit d510acb610e6aa07a04b688236868b2a5fd60deb upstream.
+
+This HP Notebook used ALC236 codec with COEF 0x07 idx 1 controlling
+the mute LED. Enable already existing quirk for this device.
+
+Signed-off-by: Luka Guzenko <l.guzenko@web.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230725111509.623773-1-l.guzenko@web.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9457,6 +9457,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x880d, "HP EliteBook 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8811, "HP Spectre x360 15-eb1xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
+ SND_PCI_QUIRK(0x103c, 0x8812, "HP Spectre x360 15-eb1xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
++ SND_PCI_QUIRK(0x103c, 0x881d, "HP 250 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 8dbfc14fc736eb701089aff09645c3d4ad3decb1 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 20 Jul 2023 12:44:33 +0100
+Subject: btrfs: account block group tree when calculating global reserve size
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 8dbfc14fc736eb701089aff09645c3d4ad3decb1 upstream.
+
+When using the block group tree feature, this tree is a critical tree just
+like the extent, csum and free space trees, and just like them it uses the
+delayed refs block reserve.
+
+So take into account the block group tree, and its current size, when
+calculating the size for the global reserve.
+
+CC: stable@vger.kernel.org # 6.1+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/block-rsv.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/btrfs/block-rsv.c
++++ b/fs/btrfs/block-rsv.c
+@@ -377,6 +377,11 @@ void btrfs_update_global_block_rsv(struc
+ }
+ read_unlock(&fs_info->global_root_lock);
+
++ if (btrfs_fs_compat_ro(fs_info, BLOCK_GROUP_TREE)) {
++ num_bytes += btrfs_root_used(&fs_info->block_group_root->root_item);
++ min_items++;
++ }
++
+ /*
+ * But we also want to reserve enough space so we can do the fallback
+ * global reserve for an unlink, which is an additional 5 items (see the
--- /dev/null
+From b28ff3a7d7e97456fd86b68d24caa32e1cfa7064 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 21 Jul 2023 10:49:21 +0100
+Subject: btrfs: check for commit error at btrfs_attach_transaction_barrier()
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit b28ff3a7d7e97456fd86b68d24caa32e1cfa7064 upstream.
+
+btrfs_attach_transaction_barrier() is used to get a handle pointing to the
+current running transaction if the transaction has not started its commit
+yet (its state is < TRANS_STATE_COMMIT_START). If the transaction commit
+has started, then we wait for the transaction to commit and finish before
+returning - however we completely ignore if the transaction was aborted
+due to some error during its commit, we simply return ERR_PT(-ENOENT),
+which makes the caller assume everything is fine and no errors happened.
+
+This could make an fsync return success (0) to user space when in fact we
+had a transaction abort and the target inode changes were therefore not
+persisted.
+
+Fix this by checking for the return value from btrfs_wait_for_commit(),
+and if it returned an error, return it back to the caller.
+
+Fixes: d4edf39bd5db ("Btrfs: fix uncompleted transaction")
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -814,8 +814,13 @@ btrfs_attach_transaction_barrier(struct
+
+ trans = start_transaction(root, 0, TRANS_ATTACH,
+ BTRFS_RESERVE_NO_FLUSH, true);
+- if (trans == ERR_PTR(-ENOENT))
+- btrfs_wait_for_commit(root->fs_info, 0);
++ if (trans == ERR_PTR(-ENOENT)) {
++ int ret;
++
++ ret = btrfs_wait_for_commit(root->fs_info, 0);
++ if (ret)
++ return ERR_PTR(ret);
++ }
+
+ return trans;
+ }
--- /dev/null
+From bf7ecbe9875061bf3fce1883e3b26b77f847d1e8 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 21 Jul 2023 10:49:20 +0100
+Subject: btrfs: check if the transaction was aborted at btrfs_wait_for_commit()
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit bf7ecbe9875061bf3fce1883e3b26b77f847d1e8 upstream.
+
+At btrfs_wait_for_commit() we wait for a transaction to finish and then
+always return 0 (success) without checking if it was aborted, in which
+case the transaction didn't happen due to some critical error. Fix this
+by checking if the transaction was aborted.
+
+Fixes: 462045928bda ("Btrfs: add START_SYNC, WAIT_SYNC ioctls")
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/transaction.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -919,6 +919,7 @@ int btrfs_wait_for_commit(struct btrfs_f
+ }
+
+ wait_for_commit(cur_trans, TRANS_STATE_COMPLETED);
++ ret = cur_trans->aborted;
+ btrfs_put_transaction(cur_trans);
+ out:
+ return ret;
--- /dev/null
+From f8a2da6ec2417cca169fa85a8ab15817bccbb109 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Tue, 18 Jul 2023 11:43:54 +0200
+Subject: can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit f8a2da6ec2417cca169fa85a8ab15817bccbb109 upstream.
+
+After an initial link up the CAN device is in ERROR-ACTIVE mode. Due
+to a missing CAN_STATE_STOPPED in gs_can_close() it doesn't change to
+STOPPED after a link down:
+
+| ip link set dev can0 up
+| ip link set dev can0 down
+| ip --details link show can0
+| 13: can0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 10
+| link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0
+| can state ERROR-ACTIVE restart-ms 1000
+
+Add missing assignment of CAN_STATE_STOPPED in gs_can_close().
+
+Cc: stable@vger.kernel.org
+Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
+Link: https://lore.kernel.org/all/20230718-gs_usb-fix-can-state-v1-1-f19738ae2c23@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/gs_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -989,6 +989,8 @@ static int gs_can_close(struct net_devic
+ usb_kill_anchored_urbs(&dev->tx_submitted);
+ atomic_set(&dev->active_tx_urbs, 0);
+
++ dev->can.state = CAN_STATE_STOPPED;
++
+ /* reset the device */
+ rc = gs_cmd_reset(dev);
+ if (rc < 0)
--- /dev/null
+From 3c1897ae4b6bc7cc586eda2feaa2cd68325ec29c Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 30 Jun 2023 09:14:21 +0200
+Subject: Documentation: security-bugs.rst: clarify CVE handling
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 3c1897ae4b6bc7cc586eda2feaa2cd68325ec29c upstream.
+
+The kernel security team does NOT assign CVEs, so document that properly
+and provide the "if you want one, ask MITRE for it" response that we
+give on a weekly basis in the document, so we don't have to constantly
+say it to everyone who asks.
+
+Link: https://lore.kernel.org/r/2023063022-retouch-kerosene-7e4a@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/security-bugs.rst | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/Documentation/admin-guide/security-bugs.rst
++++ b/Documentation/admin-guide/security-bugs.rst
+@@ -79,13 +79,12 @@ not contribute to actually fixing any po
+ CVE assignment
+ --------------
+
+-The security team does not normally assign CVEs, nor do we require them
+-for reports or fixes, as this can needlessly complicate the process and
+-may delay the bug handling. If a reporter wishes to have a CVE identifier
+-assigned ahead of public disclosure, they will need to contact the private
+-linux-distros list, described above. When such a CVE identifier is known
+-before a patch is provided, it is desirable to mention it in the commit
+-message if the reporter agrees.
++The security team does not assign CVEs, nor do we require them for
++reports or fixes, as this can needlessly complicate the process and may
++delay the bug handling. If a reporter wishes to have a CVE identifier
++assigned, they should find one by themselves, for example by contacting
++MITRE directly. However under no circumstances will a patch inclusion
++be delayed to wait for a CVE identifier to arrive.
+
+ Non-disclosure agreements
+ -------------------------
--- /dev/null
+From 4fee0915e649bd0cea56dece6d96f8f4643df33c Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 30 Jun 2023 09:14:20 +0200
+Subject: Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 4fee0915e649bd0cea56dece6d96f8f4643df33c upstream.
+
+Because the linux-distros group forces reporters to release information
+about reported bugs, and they impose arbitrary deadlines in having those
+bugs fixed despite not actually being kernel developers, the kernel
+security team recommends not interacting with them at all as this just
+causes confusion and the early-release of reported security problems.
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/2023063020-throat-pantyhose-f110@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/security-bugs.rst | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/Documentation/admin-guide/security-bugs.rst
++++ b/Documentation/admin-guide/security-bugs.rst
+@@ -63,20 +63,18 @@ information submitted to the security li
+ of the report are treated confidentially even after the embargo has been
+ lifted, in perpetuity.
+
+-Coordination
+-------------
++Coordination with other groups
++------------------------------
+
+-Fixes for sensitive bugs, such as those that might lead to privilege
+-escalations, may need to be coordinated with the private
+-<linux-distros@vs.openwall.org> mailing list so that distribution vendors
+-are well prepared to issue a fixed kernel upon public disclosure of the
+-upstream fix. Distros will need some time to test the proposed patch and
+-will generally request at least a few days of embargo, and vendor update
+-publication prefers to happen Tuesday through Thursday. When appropriate,
+-the security team can assist with this coordination, or the reporter can
+-include linux-distros from the start. In this case, remember to prefix
+-the email Subject line with "[vs]" as described in the linux-distros wiki:
+-<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
++The kernel security team strongly recommends that reporters of potential
++security issues NEVER contact the "linux-distros" mailing list until
++AFTER discussing it with the kernel security team. Do not Cc: both
++lists at once. You may contact the linux-distros mailing list after a
++fix has been agreed on and you fully understand the requirements that
++doing so will impose on you and the kernel community.
++
++The different lists have different goals and the linux-distros rules do
++not contribute to actually fixing any potential security problems.
+
+ CVE assignment
+ --------------
--- /dev/null
+From 20ea1e7d13c1b544fe67c4a8dc3943bb1ab33e6f Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Mon, 24 Jul 2023 17:00:49 +0200
+Subject: file: always lock position for FMODE_ATOMIC_POS
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 20ea1e7d13c1b544fe67c4a8dc3943bb1ab33e6f upstream.
+
+The pidfd_getfd() system call allows a caller with ptrace_may_access()
+abilities on another process to steal a file descriptor from this
+process. This system call is used by debuggers, container runtimes,
+system call supervisors, networking proxies etc. So while it is a
+special interest system call it is used in common tools.
+
+That ability ends up breaking our long-time optimization in fdget_pos(),
+which "knew" that if we had exclusive access to the file descriptor
+nobody else could access it, and we didn't need the lock for the file
+position.
+
+That check for file_count(file) was always fairly subtle - it depended
+on __fdget() not incrementing the file count for single-threaded
+processes and thus included that as part of the rule - but it did mean
+that we didn't need to take the lock in all those traditional unix
+process contexts.
+
+So it's sad to see this go, and I'd love to have some way to re-instate
+the optimization. At the same time, the lock obviously isn't ever
+contended in the case we optimized, so all we were optimizing away is
+the atomics and the cacheline dirtying. Let's see if anybody even
+notices that the optimization is gone.
+
+Link: https://lore.kernel.org/linux-fsdevel/20230724-vfs-fdget_pos-v1-1-a4abfd7103f3@kernel.org/
+Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
+Cc: stable@kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/file.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/fs/file.c
++++ b/fs/file.c
+@@ -1042,10 +1042,8 @@ unsigned long __fdget_pos(unsigned int f
+ struct file *file = (struct file *)(v & ~3);
+
+ if (file && (file->f_mode & FMODE_ATOMIC_POS)) {
+- if (file_count(file) > 1) {
+- v |= FDPUT_POS_UNLOCK;
+- mutex_lock(&file->f_pos_lock);
+- }
++ v |= FDPUT_POS_UNLOCK;
++ mutex_lock(&file->f_pos_lock);
+ }
+ return v;
+ }
--- /dev/null
+From e146503ac68418859fb063a3a0cd9ec93bc52238 Mon Sep 17 00:00:00 2001
+From: Baskaran Kannan <Baski.Kannan@amd.com>
+Date: Thu, 27 Jul 2023 11:21:59 -0500
+Subject: hwmon: (k10temp) Enable AMD3255 Proc to show negative temperature
+
+From: Baskaran Kannan <Baski.Kannan@amd.com>
+
+commit e146503ac68418859fb063a3a0cd9ec93bc52238 upstream.
+
+Industrial processor i3255 supports temperatures -40 deg celcius
+to 105 deg Celcius. The current implementation of k10temp_read_temp
+rounds off any negative temperatures to '0'. To fix this,
+the following changes have been made.
+
+A flag 'disp_negative' is added to struct k10temp_data to support
+AMD i3255 processors. Flag 'disp_negative' is set if 3255 processor
+is found during k10temp_probe. Flag 'disp_negative' is used to
+determine whether to round off negative temperatures to '0' in
+k10temp_read_temp.
+
+Signed-off-by: Baskaran Kannan <Baski.Kannan@amd.com>
+Link: https://lore.kernel.org/r/20230727162159.1056136-1-Baski.Kannan@amd.com
+Fixes: aef17ca12719 ("hwmon: (k10temp) Only apply temperature offset if result is positive")
+Cc: stable@vger.kernel.org
+[groeck: Fixed multi-line comment]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/k10temp.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwmon/k10temp.c
++++ b/drivers/hwmon/k10temp.c
+@@ -77,6 +77,13 @@ static DEFINE_MUTEX(nb_smu_ind_mutex);
+ #define ZEN_CUR_TEMP_RANGE_SEL_MASK BIT(19)
+ #define ZEN_CUR_TEMP_TJ_SEL_MASK GENMASK(17, 16)
+
++/*
++ * AMD's Industrial processor 3255 supports temperature from -40 deg to 105 deg Celsius.
++ * Use the model name to identify 3255 CPUs and set a flag to display negative temperature.
++ * Do not round off to zero for negative Tctl or Tdie values if the flag is set
++ */
++#define AMD_I3255_STR "3255"
++
+ struct k10temp_data {
+ struct pci_dev *pdev;
+ void (*read_htcreg)(struct pci_dev *pdev, u32 *regval);
+@@ -86,6 +93,7 @@ struct k10temp_data {
+ u32 show_temp;
+ bool is_zen;
+ u32 ccd_offset;
++ bool disp_negative;
+ };
+
+ #define TCTL_BIT 0
+@@ -204,12 +212,12 @@ static int k10temp_read_temp(struct devi
+ switch (channel) {
+ case 0: /* Tctl */
+ *val = get_raw_temp(data);
+- if (*val < 0)
++ if (*val < 0 && !data->disp_negative)
+ *val = 0;
+ break;
+ case 1: /* Tdie */
+ *val = get_raw_temp(data) - data->temp_offset;
+- if (*val < 0)
++ if (*val < 0 && !data->disp_negative)
+ *val = 0;
+ break;
+ case 2 ... 13: /* Tccd{1-12} */
+@@ -405,6 +413,11 @@ static int k10temp_probe(struct pci_dev
+ data->pdev = pdev;
+ data->show_temp |= BIT(TCTL_BIT); /* Always show Tctl */
+
++ if (boot_cpu_data.x86 == 0x17 &&
++ strstr(boot_cpu_data.x86_model_id, AMD_I3255_STR)) {
++ data->disp_negative = true;
++ }
++
+ if (boot_cpu_data.x86 == 0x15 &&
+ ((boot_cpu_data.x86_model & 0xf0) == 0x60 ||
+ (boot_cpu_data.x86_model & 0xf0) == 0x70)) {
--- /dev/null
+From 54685abe660a59402344d5045ce08c43c6a5ac42 Mon Sep 17 00:00:00 2001
+From: Gilles Buloz <Gilles.Buloz@kontron.com>
+Date: Mon, 24 Jul 2023 08:04:44 +0000
+Subject: hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled
+
+From: Gilles Buloz <Gilles.Buloz@kontron.com>
+
+commit 54685abe660a59402344d5045ce08c43c6a5ac42 upstream.
+
+Because of hex value 0x46 used instead of decimal 46, the temp6
+(PECI1) temperature is always declared visible and then displayed
+even if disabled in the chip
+
+Signed-off-by: Gilles Buloz <gilles.buloz@kontron.com>
+Link: https://lore.kernel.org/r/DU0PR10MB62526435ADBC6A85243B90E08002A@DU0PR10MB6252.EURPRD10.PROD.OUTLOOK.COM
+Fixes: fcdc5739dce03 ("hwmon: (nct7802) add temperature sensor type attribute")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/nct7802.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/nct7802.c
++++ b/drivers/hwmon/nct7802.c
+@@ -725,7 +725,7 @@ static umode_t nct7802_temp_is_visible(s
+ if (index >= 38 && index < 46 && !(reg & 0x01)) /* PECI 0 */
+ return 0;
+
+- if (index >= 0x46 && (!(reg & 0x02))) /* PECI 1 */
++ if (index >= 46 && !(reg & 0x02)) /* PECI 1 */
+ return 0;
+
+ return attr->mode;
--- /dev/null
+From eed3013faa401aae662398709410a59bb0646e32 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 11 Jul 2023 16:01:25 -0700
+Subject: KVM: Grab a reference to KVM for VM and vCPU stats file descriptors
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit eed3013faa401aae662398709410a59bb0646e32 upstream.
+
+Grab a reference to KVM prior to installing VM and vCPU stats file
+descriptors to ensure the underlying VM and vCPU objects are not freed
+until the last reference to any and all stats fds are dropped.
+
+Note, the stats paths manually invoke fd_install() and so don't need to
+grab a reference before creating the file.
+
+Fixes: ce55c049459c ("KVM: stats: Support binary stats retrieval for a VCPU")
+Fixes: fcfe1baeddbf ("KVM: stats: Support binary stats retrieval for a VM")
+Reported-by: Zheng Zhang <zheng.zhang@email.ucr.edu>
+Closes: https://lore.kernel.org/all/CAC_GQSr3xzZaeZt85k_RCBd5kfiOve8qXo7a81Cq53LuVQ5r=Q@mail.gmail.com
+Cc: stable@vger.kernel.org
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Message-Id: <20230711230131.648752-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -4032,8 +4032,17 @@ static ssize_t kvm_vcpu_stats_read(struc
+ sizeof(vcpu->stat), user_buffer, size, offset);
+ }
+
++static int kvm_vcpu_stats_release(struct inode *inode, struct file *file)
++{
++ struct kvm_vcpu *vcpu = file->private_data;
++
++ kvm_put_kvm(vcpu->kvm);
++ return 0;
++}
++
+ static const struct file_operations kvm_vcpu_stats_fops = {
+ .read = kvm_vcpu_stats_read,
++ .release = kvm_vcpu_stats_release,
+ .llseek = noop_llseek,
+ };
+
+@@ -4054,6 +4063,9 @@ static int kvm_vcpu_ioctl_get_stats_fd(s
+ put_unused_fd(fd);
+ return PTR_ERR(file);
+ }
++
++ kvm_get_kvm(vcpu->kvm);
++
+ file->f_mode |= FMODE_PREAD;
+ fd_install(fd, file);
+
+@@ -4658,8 +4670,17 @@ static ssize_t kvm_vm_stats_read(struct
+ sizeof(kvm->stat), user_buffer, size, offset);
+ }
+
++static int kvm_vm_stats_release(struct inode *inode, struct file *file)
++{
++ struct kvm *kvm = file->private_data;
++
++ kvm_put_kvm(kvm);
++ return 0;
++}
++
+ static const struct file_operations kvm_vm_stats_fops = {
+ .read = kvm_vm_stats_read,
++ .release = kvm_vm_stats_release,
+ .llseek = noop_llseek,
+ };
+
+@@ -4678,6 +4699,9 @@ static int kvm_vm_ioctl_get_stats_fd(str
+ put_unused_fd(fd);
+ return PTR_ERR(file);
+ }
++
++ kvm_get_kvm(kvm);
++
+ file->f_mode |= FMODE_PREAD;
+ fd_install(fd, file);
+
--- /dev/null
+From c4abd7352023aa96114915a0bb2b88016a425cda Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 13 Jun 2023 13:30:36 -0700
+Subject: KVM: VMX: Don't fudge CR0 and CR4 for restricted L2 guest
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit c4abd7352023aa96114915a0bb2b88016a425cda upstream.
+
+Stuff CR0 and/or CR4 to be compliant with a restricted guest if and only
+if KVM itself is not configured to utilize unrestricted guests, i.e. don't
+stuff CR0/CR4 for a restricted L2 that is running as the guest of an
+unrestricted L1. Any attempt to VM-Enter a restricted guest with invalid
+CR0/CR4 values should fail, i.e. in a nested scenario, KVM (as L0) should
+never observe a restricted L2 with incompatible CR0/CR4, since nested
+VM-Enter from L1 should have failed.
+
+And if KVM does observe an active, restricted L2 with incompatible state,
+e.g. due to a KVM bug, fudging CR0/CR4 instead of letting VM-Enter fail
+does more harm than good, as KVM will often neglect to undo the side
+effects, e.g. won't clear rmode.vm86_active on nested VM-Exit, and thus
+the damage can easily spill over to L1. On the other hand, letting
+VM-Enter fail due to bad guest state is more likely to contain the damage
+to L2 as KVM relies on hardware to perform most guest state consistency
+checks, i.e. KVM needs to be able to reflect a failed nested VM-Enter into
+L1 irrespective of (un)restricted guest behavior.
+
+Cc: Jim Mattson <jmattson@google.com>
+Cc: stable@vger.kernel.org
+Fixes: bddd82d19e2e ("KVM: nVMX: KVM needs to unset "unrestricted guest" VM-execution control in vmcs02 if vmcs12 doesn't set it")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20230613203037.1968489-3-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx/vmx.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -1461,6 +1461,11 @@ void vmx_set_rflags(struct kvm_vcpu *vcp
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ unsigned long old_rflags;
+
++ /*
++ * Unlike CR0 and CR4, RFLAGS handling requires checking if the vCPU
++ * is an unrestricted guest in order to mark L2 as needing emulation
++ * if L1 runs L2 as a restricted guest.
++ */
+ if (is_unrestricted_guest(vcpu)) {
+ kvm_register_mark_available(vcpu, VCPU_EXREG_RFLAGS);
+ vmx->rflags = rflags;
+@@ -3169,7 +3174,7 @@ void vmx_set_cr0(struct kvm_vcpu *vcpu,
+ old_cr0_pg = kvm_read_cr0_bits(vcpu, X86_CR0_PG);
+
+ hw_cr0 = (cr0 & ~KVM_VM_CR0_ALWAYS_OFF);
+- if (is_unrestricted_guest(vcpu))
++ if (enable_unrestricted_guest)
+ hw_cr0 |= KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST;
+ else {
+ hw_cr0 |= KVM_VM_CR0_ALWAYS_ON;
+@@ -3197,7 +3202,7 @@ void vmx_set_cr0(struct kvm_vcpu *vcpu,
+ }
+ #endif
+
+- if (enable_ept && !is_unrestricted_guest(vcpu)) {
++ if (enable_ept && !enable_unrestricted_guest) {
+ /*
+ * Ensure KVM has an up-to-date snapshot of the guest's CR3. If
+ * the below code _enables_ CR3 exiting, vmx_cache_reg() will
+@@ -3328,7 +3333,7 @@ void vmx_set_cr4(struct kvm_vcpu *vcpu,
+ unsigned long hw_cr4;
+
+ hw_cr4 = (cr4_read_shadow() & X86_CR4_MCE) | (cr4 & ~X86_CR4_MCE);
+- if (is_unrestricted_guest(vcpu))
++ if (enable_unrestricted_guest)
+ hw_cr4 |= KVM_VM_CR4_ALWAYS_ON_UNRESTRICTED_GUEST;
+ else if (vmx->rmode.vm86_active)
+ hw_cr4 |= KVM_RMODE_VM_CR4_ALWAYS_ON;
+@@ -3348,7 +3353,7 @@ void vmx_set_cr4(struct kvm_vcpu *vcpu,
+ vcpu->arch.cr4 = cr4;
+ kvm_register_mark_available(vcpu, VCPU_EXREG_CR4);
+
+- if (!is_unrestricted_guest(vcpu)) {
++ if (!enable_unrestricted_guest) {
+ if (enable_ept) {
+ if (!is_paging(vcpu)) {
+ hw_cr4 &= ~X86_CR4_PAE;
--- /dev/null
+From 26a0652cb453c72f6aab0974bc4939e9b14f886b Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 13 Jun 2023 13:30:35 -0700
+Subject: KVM: x86: Disallow KVM_SET_SREGS{2} if incoming CR0 is invalid
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 26a0652cb453c72f6aab0974bc4939e9b14f886b upstream.
+
+Reject KVM_SET_SREGS{2} with -EINVAL if the incoming CR0 is invalid,
+e.g. due to setting bits 63:32, illegal combinations, or to a value that
+isn't allowed in VMX (non-)root mode. The VMX checks in particular are
+"fun" as failure to disallow Real Mode for an L2 that is configured with
+unrestricted guest disabled, when KVM itself has unrestricted guest
+enabled, will result in KVM forcing VM86 mode to virtual Real Mode for
+L2, but then fail to unwind the related metadata when synthesizing a
+nested VM-Exit back to L1 (which has unrestricted guest enabled).
+
+Opportunistically fix a benign typo in the prototype for is_valid_cr4().
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+5feef0b9ee9c8e9e5689@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000f316b705fdf6e2b4@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20230613203037.1968489-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/kvm-x86-ops.h | 1 +
+ arch/x86/include/asm/kvm_host.h | 3 ++-
+ arch/x86/kvm/svm/svm.c | 6 ++++++
+ arch/x86/kvm/vmx/vmx.c | 28 +++++++++++++++++++++-------
+ arch/x86/kvm/x86.c | 34 ++++++++++++++++++++++------------
+ 5 files changed, 52 insertions(+), 20 deletions(-)
+
+--- a/arch/x86/include/asm/kvm-x86-ops.h
++++ b/arch/x86/include/asm/kvm-x86-ops.h
+@@ -36,6 +36,7 @@ KVM_X86_OP(get_segment)
+ KVM_X86_OP(get_cpl)
+ KVM_X86_OP(set_segment)
+ KVM_X86_OP(get_cs_db_l_bits)
++KVM_X86_OP(is_valid_cr0)
+ KVM_X86_OP(set_cr0)
+ KVM_X86_OP_OPTIONAL(post_set_cr3)
+ KVM_X86_OP(is_valid_cr4)
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1488,9 +1488,10 @@ struct kvm_x86_ops {
+ void (*set_segment)(struct kvm_vcpu *vcpu,
+ struct kvm_segment *var, int seg);
+ void (*get_cs_db_l_bits)(struct kvm_vcpu *vcpu, int *db, int *l);
++ bool (*is_valid_cr0)(struct kvm_vcpu *vcpu, unsigned long cr0);
+ void (*set_cr0)(struct kvm_vcpu *vcpu, unsigned long cr0);
+ void (*post_set_cr3)(struct kvm_vcpu *vcpu, unsigned long cr3);
+- bool (*is_valid_cr4)(struct kvm_vcpu *vcpu, unsigned long cr0);
++ bool (*is_valid_cr4)(struct kvm_vcpu *vcpu, unsigned long cr4);
+ void (*set_cr4)(struct kvm_vcpu *vcpu, unsigned long cr4);
+ int (*set_efer)(struct kvm_vcpu *vcpu, u64 efer);
+ void (*get_idt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -1763,6 +1763,11 @@ static void sev_post_set_cr3(struct kvm_
+ }
+ }
+
++static bool svm_is_valid_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
++{
++ return true;
++}
++
+ void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+@@ -4749,6 +4754,7 @@ static struct kvm_x86_ops svm_x86_ops __
+ .set_segment = svm_set_segment,
+ .get_cpl = svm_get_cpl,
+ .get_cs_db_l_bits = svm_get_cs_db_l_bits,
++ .is_valid_cr0 = svm_is_valid_cr0,
+ .set_cr0 = svm_set_cr0,
+ .post_set_cr3 = sev_post_set_cr3,
+ .is_valid_cr4 = svm_is_valid_cr4,
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -2975,6 +2975,15 @@ static void enter_rmode(struct kvm_vcpu
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ struct kvm_vmx *kvm_vmx = to_kvm_vmx(vcpu->kvm);
+
++ /*
++ * KVM should never use VM86 to virtualize Real Mode when L2 is active,
++ * as using VM86 is unnecessary if unrestricted guest is enabled, and
++ * if unrestricted guest is disabled, VM-Enter (from L1) with CR0.PG=0
++ * should VM-Fail and KVM should reject userspace attempts to stuff
++ * CR0.PG=0 when L2 is active.
++ */
++ WARN_ON_ONCE(is_guest_mode(vcpu));
++
+ vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_TR], VCPU_SREG_TR);
+ vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_ES], VCPU_SREG_ES);
+ vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_DS], VCPU_SREG_DS);
+@@ -3165,6 +3174,17 @@ void ept_save_pdptrs(struct kvm_vcpu *vc
+ #define CR3_EXITING_BITS (CPU_BASED_CR3_LOAD_EXITING | \
+ CPU_BASED_CR3_STORE_EXITING)
+
++static bool vmx_is_valid_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
++{
++ if (is_guest_mode(vcpu))
++ return nested_guest_cr0_valid(vcpu, cr0);
++
++ if (to_vmx(vcpu)->nested.vmxon)
++ return nested_host_cr0_valid(vcpu, cr0);
++
++ return true;
++}
++
+ void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+@@ -5316,18 +5336,11 @@ static int handle_set_cr0(struct kvm_vcp
+ val = (val & ~vmcs12->cr0_guest_host_mask) |
+ (vmcs12->guest_cr0 & vmcs12->cr0_guest_host_mask);
+
+- if (!nested_guest_cr0_valid(vcpu, val))
+- return 1;
+-
+ if (kvm_set_cr0(vcpu, val))
+ return 1;
+ vmcs_writel(CR0_READ_SHADOW, orig_val);
+ return 0;
+ } else {
+- if (to_vmx(vcpu)->nested.vmxon &&
+- !nested_host_cr0_valid(vcpu, val))
+- return 1;
+-
+ return kvm_set_cr0(vcpu, val);
+ }
+ }
+@@ -8117,6 +8130,7 @@ static struct kvm_x86_ops vmx_x86_ops __
+ .set_segment = vmx_set_segment,
+ .get_cpl = vmx_get_cpl,
+ .get_cs_db_l_bits = vmx_get_cs_db_l_bits,
++ .is_valid_cr0 = vmx_is_valid_cr0,
+ .set_cr0 = vmx_set_cr0,
+ .is_valid_cr4 = vmx_is_valid_cr4,
+ .set_cr4 = vmx_set_cr4,
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -908,6 +908,22 @@ int load_pdptrs(struct kvm_vcpu *vcpu, u
+ }
+ EXPORT_SYMBOL_GPL(load_pdptrs);
+
++static bool kvm_is_valid_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
++{
++#ifdef CONFIG_X86_64
++ if (cr0 & 0xffffffff00000000UL)
++ return false;
++#endif
++
++ if ((cr0 & X86_CR0_NW) && !(cr0 & X86_CR0_CD))
++ return false;
++
++ if ((cr0 & X86_CR0_PG) && !(cr0 & X86_CR0_PE))
++ return false;
++
++ return static_call(kvm_x86_is_valid_cr0)(vcpu, cr0);
++}
++
+ void kvm_post_set_cr0(struct kvm_vcpu *vcpu, unsigned long old_cr0, unsigned long cr0)
+ {
+ /*
+@@ -948,20 +964,13 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, u
+ {
+ unsigned long old_cr0 = kvm_read_cr0(vcpu);
+
+- cr0 |= X86_CR0_ET;
+-
+-#ifdef CONFIG_X86_64
+- if (cr0 & 0xffffffff00000000UL)
++ if (!kvm_is_valid_cr0(vcpu, cr0))
+ return 1;
+-#endif
+-
+- cr0 &= ~CR0_RESERVED_BITS;
+
+- if ((cr0 & X86_CR0_NW) && !(cr0 & X86_CR0_CD))
+- return 1;
++ cr0 |= X86_CR0_ET;
+
+- if ((cr0 & X86_CR0_PG) && !(cr0 & X86_CR0_PE))
+- return 1;
++ /* Write to CR0 reserved bits are ignored, even on Intel. */
++ cr0 &= ~CR0_RESERVED_BITS;
+
+ #ifdef CONFIG_X86_64
+ if ((vcpu->arch.efer & EFER_LME) && !is_paging(vcpu) &&
+@@ -11532,7 +11541,8 @@ static bool kvm_is_valid_sregs(struct kv
+ return false;
+ }
+
+- return kvm_is_valid_cr4(vcpu, sregs->cr4);
++ return kvm_is_valid_cr4(vcpu, sregs->cr4) &&
++ kvm_is_valid_cr0(vcpu, sregs->cr0);
+ }
+
+ static int __set_sregs_common(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs,
--- /dev/null
+From f75546f58a70da5cfdcec5a45ffc377885ccbee8 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 18 Jul 2023 08:38:37 -0400
+Subject: nfsd: Remove incorrect check in nfsd4_validate_stateid
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit f75546f58a70da5cfdcec5a45ffc377885ccbee8 upstream.
+
+If the client is calling TEST_STATEID, then it is because some event
+occurred that requires it to check all the stateids for validity and
+call FREE_STATEID on the ones that have been revoked. In this case,
+either the stateid exists in the list of stateids associated with that
+nfs4_client, in which case it should be tested, or it does not. There
+are no additional conditions to be considered.
+
+Reported-by: "Frank Ch. Eigler" <fche@redhat.com>
+Fixes: 7df302f75ee2 ("NFSD: TEST_STATEID should not return NFS4ERR_STALE_STATEID")
+Cc: stable@vger.kernel.org # v5.7+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -6269,8 +6269,6 @@ static __be32 nfsd4_validate_stateid(str
+ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
+ CLOSE_STATEID(stateid))
+ return status;
+- if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid))
+- return status;
+ spin_lock(&cl->cl_lock);
+ s = find_stateid_locked(cl, stateid);
+ if (!s)
--- /dev/null
+From 734ae15ab95a18d3d425fc9cb38b7a627d786f08 Mon Sep 17 00:00:00 2001
+From: Jakub Vanek <linuxtardis@gmail.com>
+Date: Fri, 14 Jul 2023 14:24:19 +0200
+Subject: Revert "usb: dwc3: core: Enable AutoRetry feature in the controller"
+
+From: Jakub Vanek <linuxtardis@gmail.com>
+
+commit 734ae15ab95a18d3d425fc9cb38b7a627d786f08 upstream.
+
+This reverts commit b138e23d3dff90c0494925b4c1874227b81bddf7.
+
+AutoRetry has been found to sometimes cause controller freezes when
+communicating with buggy USB devices.
+
+This controller feature allows the controller in host mode to send
+non-terminating/burst retry ACKs instead of terminating retry ACKs
+to devices when a transaction error (CRC error or overflow) occurs.
+
+Unfortunately, if the USB device continues to respond with a CRC error,
+the controller will not complete endpoint-related commands while it
+keeps trying to auto-retry. [3] The xHCI driver will notice this once
+it tries to abort the transfer using a Stop Endpoint command and
+does not receive a completion in time. [1]
+This situation is reported to dmesg:
+
+[sda] tag#29 uas_eh_abort_handler 0 uas-tag 1 inflight: CMD IN
+[sda] tag#29 CDB: opcode=0x28 28 00 00 69 42 80 00 00 48 00
+xhci-hcd: xHCI host not responding to stop endpoint command
+xhci-hcd: xHCI host controller not responding, assume dead
+xhci-hcd: HC died; cleaning up
+
+Some users observed this problem on an Odroid HC2 with the JMS578
+USB3-to-SATA bridge. The issue can be triggered by starting
+a read-heavy workload on an attached SSD. After a while, the host
+controller would die and the SSD would disappear from the system. [1]
+
+Further analysis by Synopsys determined that controller revisions
+other than the one in Odroid HC2 are also affected by this.
+The recommended solution was to disable AutoRetry altogether.
+This change does not have a noticeable performance impact. [2]
+
+Revert the enablement commit. This will keep the AutoRetry bit in
+the default state configured during SoC design [2].
+
+Fixes: b138e23d3dff ("usb: dwc3: core: Enable AutoRetry feature in the controller")
+Link: https://lore.kernel.org/r/a21f34c04632d250cd0a78c7c6f4a1c9c7a43142.camel@gmail.com/ [1]
+Link: https://lore.kernel.org/r/20230711214834.kyr6ulync32d4ktk@synopsys.com/ [2]
+Link: https://lore.kernel.org/r/20230712225518.2smu7wse6djc7l5o@synopsys.com/ [3]
+Cc: stable@vger.kernel.org
+Cc: Mauro Ribeiro <mauro.ribeiro@hardkernel.com>
+Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Jakub Vanek <linuxtardis@gmail.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20230714122419.27741-1-linuxtardis@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 16 ----------------
+ drivers/usb/dwc3/core.h | 3 ---
+ 2 files changed, 19 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1241,22 +1241,6 @@ static int dwc3_core_init(struct dwc3 *d
+ dwc3_writel(dwc->regs, DWC3_GUCTL1, reg);
+ }
+
+- if (dwc->dr_mode == USB_DR_MODE_HOST ||
+- dwc->dr_mode == USB_DR_MODE_OTG) {
+- reg = dwc3_readl(dwc->regs, DWC3_GUCTL);
+-
+- /*
+- * Enable Auto retry Feature to make the controller operating in
+- * Host mode on seeing transaction errors(CRC errors or internal
+- * overrun scenerios) on IN transfers to reply to the device
+- * with a non-terminating retry ACK (i.e, an ACK transcation
+- * packet with Retry=1 & Nump != 0)
+- */
+- reg |= DWC3_GUCTL_HSTINAUTORETRY;
+-
+- dwc3_writel(dwc->regs, DWC3_GUCTL, reg);
+- }
+-
+ /*
+ * Must config both number of packets and max burst settings to enable
+ * RX and/or TX threshold.
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -254,9 +254,6 @@
+ #define DWC3_GCTL_GBLHIBERNATIONEN BIT(1)
+ #define DWC3_GCTL_DSBLCLKGTNG BIT(0)
+
+-/* Global User Control Register */
+-#define DWC3_GUCTL_HSTINAUTORETRY BIT(14)
+-
+ /* Global User Control 1 Register */
+ #define DWC3_GUCTL1_DEV_DECOUPLE_L1L2_EVT BIT(31)
+ #define DWC3_GUCTL1_TX_IPGAP_LINECHECK_DIS BIT(28)
--- /dev/null
+From a8291be6b5dd465c22af229483dbac543a91e24e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Tue, 4 Jul 2023 17:09:09 +0300
+Subject: Revert "usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init()"
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit a8291be6b5dd465c22af229483dbac543a91e24e upstream.
+
+This reverts commit f08aa7c80dac27ee00fa6827f447597d2fba5465.
+
+The reverted commit was based on static analysis and a misunderstanding
+of how PTR_ERR() and NULLs are supposed to work. When a function
+returns both pointer errors and NULL then normally the NULL means
+"continue operating without a feature because it was deliberately
+turned off". The NULL should not be treated as a failure. If a driver
+cannot work when that feature is disabled then the KConfig should
+enforce that the function cannot return NULL. We should not need to
+test for it.
+
+In this driver, the bug means that probe cannot succeed when CONFIG_PM
+is disabled.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: f08aa7c80dac ("usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init()")
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/ZKQoBa84U/ykEh3C@moroto
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/tegra-xudc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/udc/tegra-xudc.c
++++ b/drivers/usb/gadget/udc/tegra-xudc.c
+@@ -3695,15 +3695,15 @@ static int tegra_xudc_powerdomain_init(s
+ int err;
+
+ xudc->genpd_dev_device = dev_pm_domain_attach_by_name(dev, "dev");
+- if (IS_ERR_OR_NULL(xudc->genpd_dev_device)) {
+- err = PTR_ERR(xudc->genpd_dev_device) ? : -ENODATA;
++ if (IS_ERR(xudc->genpd_dev_device)) {
++ err = PTR_ERR(xudc->genpd_dev_device);
+ dev_err(dev, "failed to get device power domain: %d\n", err);
+ return err;
+ }
+
+ xudc->genpd_dev_ss = dev_pm_domain_attach_by_name(dev, "ss");
+- if (IS_ERR_OR_NULL(xudc->genpd_dev_ss)) {
+- err = PTR_ERR(xudc->genpd_dev_ss) ? : -ENODATA;
++ if (IS_ERR(xudc->genpd_dev_ss)) {
++ err = PTR_ERR(xudc->genpd_dev_ss);
+ dev_err(dev, "failed to get SuperSpeed power domain: %d\n", err);
+ return err;
+ }
--- /dev/null
+From 288b4fa1798e3637a9304c6e90a93d900e02369c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Tue, 4 Jul 2023 17:08:27 +0300
+Subject: Revert "usb: xhci: tegra: Fix error check"
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 288b4fa1798e3637a9304c6e90a93d900e02369c upstream.
+
+This reverts commit 18fc7c435be3f17ea26a21b2e2312fcb9088e01f.
+
+The reverted commit was based on static analysis and a misunderstanding
+of how PTR_ERR() and NULLs are supposed to work. When a function
+returns both pointer errors and NULL then normally the NULL means
+"continue operating without a feature because it was deliberately
+turned off". The NULL should not be treated as a failure. If a driver
+cannot work when that feature is disabled then the KConfig should
+enforce that the function cannot return NULL. We should not need to
+test for it.
+
+In this code, the patch means that certain tegra_xusb_probe() will
+fail if the firmware supports power-domains but CONFIG_PM is disabled.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: 18fc7c435be3 ("usb: xhci: tegra: Fix error check")
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/8baace8d-fb4b-41a4-ad5f-848ae643a23b@moroto.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-tegra.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci-tegra.c
++++ b/drivers/usb/host/xhci-tegra.c
+@@ -1010,15 +1010,15 @@ static int tegra_xusb_powerdomain_init(s
+ int err;
+
+ tegra->genpd_dev_host = dev_pm_domain_attach_by_name(dev, "xusb_host");
+- if (IS_ERR_OR_NULL(tegra->genpd_dev_host)) {
+- err = PTR_ERR(tegra->genpd_dev_host) ? : -ENODATA;
++ if (IS_ERR(tegra->genpd_dev_host)) {
++ err = PTR_ERR(tegra->genpd_dev_host);
+ dev_err(dev, "failed to get host pm-domain: %d\n", err);
+ return err;
+ }
+
+ tegra->genpd_dev_ss = dev_pm_domain_attach_by_name(dev, "xusb_ss");
+- if (IS_ERR_OR_NULL(tegra->genpd_dev_ss)) {
+- err = PTR_ERR(tegra->genpd_dev_ss) ? : -ENODATA;
++ if (IS_ERR(tegra->genpd_dev_ss)) {
++ err = PTR_ERR(tegra->genpd_dev_ss);
+ dev_err(dev, "failed to get superspeed pm-domain: %d\n", err);
+ return err;
+ }
--- /dev/null
+From 5bef4b3cb95a5b883dfec8b3ffc0d671323d55bb Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 13 Jul 2023 13:28:10 +0200
+Subject: Revert "xhci: add quirk for host controllers that don't update endpoint DCS"
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 5bef4b3cb95a5b883dfec8b3ffc0d671323d55bb upstream.
+
+This reverts commit 5255660b208aebfdb71d574f3952cf48392f4306.
+
+This quirk breaks at least the following hardware:
+
+0b:00.0 0c03: 1106:3483 (rev 01) (prog-if 30 [XHCI])
+ Subsystem: 1106:3483
+ Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
+ Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
+ Latency: 0, Cache Line Size: 64 bytes
+ Interrupt: pin A routed to IRQ 66
+ Region 0: Memory at fb400000 (64-bit, non-prefetchable) [size=4K]
+ Capabilities: [80] Power Management version 3
+ Flags: PMEClk- DSI- D1- D2- AuxCurrent=375mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
+ Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
+ Capabilities: [90] MSI: Enable+ Count=1/4 Maskable- 64bit+
+ Address: 00000000fee007b8 Data: 0000
+ Capabilities: [c4] Express (v2) Endpoint, MSI 00
+ DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s <64ns, L1 <1us
+ ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset- SlotPowerLimit 89W
+ DevCtl: CorrErr- NonFatalErr- FatalErr- UnsupReq-
+ RlxdOrd- ExtTag- PhantFunc- AuxPwr- NoSnoop+
+ MaxPayload 128 bytes, MaxReadReq 512 bytes
+ DevSta: CorrErr- NonFatalErr- FatalErr- UnsupReq- AuxPwr+ TransPend-
+ LnkCap: Port #0, Speed 5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <2us, L1 <16us
+ ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp-
+ LnkCtl: ASPM Disabled; RCB 64 bytes, Disabled- CommClk+
+ ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
+ LnkSta: Speed 5GT/s, Width x1
+ TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
+ DevCap2: Completion Timeout: Range B, TimeoutDis+ NROPrPrP- LTR-
+ 10BitTagComp- 10BitTagReq- OBFF Not Supported, ExtFmt- EETLPPrefix-
+ EmergencyPowerReduction Not Supported, EmergencyPowerReductionInit-
+ FRS- TPHComp- ExtTPHComp-
+ AtomicOpsCap: 32bit- 64bit- 128bitCAS-
+ DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis- LTR- 10BitTagReq- OBFF Disabled,
+ AtomicOpsCtl: ReqEn-
+ LnkCtl2: Target Link Speed: 5GT/s, EnterCompliance- SpeedDis-
+ Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
+ Compliance Preset/De-emphasis: -6dB de-emphasis, 0dB preshoot
+ LnkSta2: Current De-emphasis Level: -6dB, EqualizationComplete- EqualizationPhase1-
+ EqualizationPhase2- EqualizationPhase3- LinkEqualizationRequest-
+ Retimer- 2Retimers- CrosslinkRes: unsupported
+ Capabilities: [100 v1] Advanced Error Reporting
+ UESta: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
+ UEMsk: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
+ UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
+ CESta: RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr-
+ CEMsk: RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr+
+ AERCap: First Error Pointer: 00, ECRCGenCap- ECRCGenEn- ECRCChkCap- ECRCChkEn-
+ MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap-
+ HeaderLog: 00000000 00000000 00000000 00000000
+ Kernel driver in use: xhci_hcd
+ Kernel modules: xhci_pci
+
+with the quirk enabled it fails early with
+
+[ 0.754373] pci 0000:0b:00.0: xHCI HW did not halt within 32000 usec status = 0x1000
+[ 0.754419] pci 0000:0b:00.0: quirk_usb_early_handoff+0x0/0x7a0 took 31459 usecs
+[ 2.228048] xhci_hcd 0000:0b:00.0: xHCI Host Controller
+[ 2.228053] xhci_hcd 0000:0b:00.0: new USB bus registered, assigned bus number 7
+[ 2.260073] xhci_hcd 0000:0b:00.0: Host halt failed, -110
+[ 2.260079] xhci_hcd 0000:0b:00.0: can't setup: -110
+[ 2.260551] xhci_hcd 0000:0b:00.0: USB bus 7 deregistered
+[ 2.260624] xhci_hcd 0000:0b:00.0: init 0000:0b:00.0 fail, -110
+[ 2.260639] xhci_hcd: probe of 0000:0b:00.0 failed with error -110
+
+The hardware in question is an external PCIe card. It looks to me like the quirk
+needs to be narrowed down. But this needs information about the hardware showing
+the issue this quirk is to fix. So for now a clean revert.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Fixes: 5255660b208a ("xhci: add quirk for host controllers that don't update endpoint DCS")
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/20230713112830.21773-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 4 +---
+ drivers/usb/host/xhci-ring.c | 25 +------------------------
+ 2 files changed, 2 insertions(+), 27 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -293,10 +293,8 @@ static void xhci_pci_quirks(struct devic
+ pdev->device == 0x3432)
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+
+- if (pdev->vendor == PCI_VENDOR_ID_VIA && pdev->device == 0x3483) {
++ if (pdev->vendor == PCI_VENDOR_ID_VIA && pdev->device == 0x3483)
+ xhci->quirks |= XHCI_LPM_SUPPORT;
+- xhci->quirks |= XHCI_EP_CTX_BROKEN_DCS;
+- }
+
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI) {
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -592,11 +592,8 @@ static int xhci_move_dequeue_past_td(str
+ struct xhci_ring *ep_ring;
+ struct xhci_command *cmd;
+ struct xhci_segment *new_seg;
+- struct xhci_segment *halted_seg = NULL;
+ union xhci_trb *new_deq;
+ int new_cycle;
+- union xhci_trb *halted_trb;
+- int index = 0;
+ dma_addr_t addr;
+ u64 hw_dequeue;
+ bool cycle_found = false;
+@@ -634,27 +631,7 @@ static int xhci_move_dequeue_past_td(str
+ hw_dequeue = xhci_get_hw_deq(xhci, dev, ep_index, stream_id);
+ new_seg = ep_ring->deq_seg;
+ new_deq = ep_ring->dequeue;
+-
+- /*
+- * Quirk: xHC write-back of the DCS field in the hardware dequeue
+- * pointer is wrong - use the cycle state of the TRB pointed to by
+- * the dequeue pointer.
+- */
+- if (xhci->quirks & XHCI_EP_CTX_BROKEN_DCS &&
+- !(ep->ep_state & EP_HAS_STREAMS))
+- halted_seg = trb_in_td(xhci, td->start_seg,
+- td->first_trb, td->last_trb,
+- hw_dequeue & ~0xf, false);
+- if (halted_seg) {
+- index = ((dma_addr_t)(hw_dequeue & ~0xf) - halted_seg->dma) /
+- sizeof(*halted_trb);
+- halted_trb = &halted_seg->trbs[index];
+- new_cycle = halted_trb->generic.field[3] & 0x1;
+- xhci_dbg(xhci, "Endpoint DCS = %d TRB index = %d cycle = %d\n",
+- (u8)(hw_dequeue & 0x1), index, new_cycle);
+- } else {
+- new_cycle = hw_dequeue & 0x1;
+- }
++ new_cycle = hw_dequeue & 0x1;
+
+ /*
+ * We want to find the pointer, segment and cycle state of the new trb
--- /dev/null
+From 748c5ea8b8796ae8ee80b8d3a3d940570b588d59 Mon Sep 17 00:00:00 2001
+From: Ruihong Luo <colorsu1922@gmail.com>
+Date: Thu, 13 Jul 2023 08:42:36 +0800
+Subject: serial: 8250_dw: Preserve original value of DLF register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ruihong Luo <colorsu1922@gmail.com>
+
+commit 748c5ea8b8796ae8ee80b8d3a3d940570b588d59 upstream.
+
+Preserve the original value of the Divisor Latch Fraction (DLF) register.
+When the DLF register is modified without preservation, it can disrupt
+the baudrate settings established by firmware or bootloader, leading to
+data corruption and the generation of unreadable or distorted characters.
+
+Fixes: 701c5e73b296 ("serial: 8250_dw: add fractional divisor support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ruihong Luo <colorsu1922@gmail.com>
+Link: https://lore.kernel.org/stable/20230713004235.35904-1-colorsu1922%40gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230713004235.35904-1-colorsu1922@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_dwlib.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_dwlib.c
++++ b/drivers/tty/serial/8250/8250_dwlib.c
+@@ -244,7 +244,7 @@ void dw8250_setup_port(struct uart_port
+ struct dw8250_port_data *pd = p->private_data;
+ struct dw8250_data *data = to_dw8250_data(pd);
+ struct uart_8250_port *up = up_to_u8250p(p);
+- u32 reg;
++ u32 reg, old_dlf;
+
+ pd->hw_rs485_support = dw8250_detect_rs485_hw(p);
+ if (pd->hw_rs485_support) {
+@@ -270,9 +270,11 @@ void dw8250_setup_port(struct uart_port
+ dev_dbg(p->dev, "Designware UART version %c.%c%c\n",
+ (reg >> 24) & 0xff, (reg >> 16) & 0xff, (reg >> 8) & 0xff);
+
++ /* Preserve value written by firmware or bootloader */
++ old_dlf = dw8250_readl_ext(p, DW_UART_DLF);
+ dw8250_writel_ext(p, DW_UART_DLF, ~0U);
+ reg = dw8250_readl_ext(p, DW_UART_DLF);
+- dw8250_writel_ext(p, DW_UART_DLF, 0);
++ dw8250_writel_ext(p, DW_UART_DLF, old_dlf);
+
+ if (reg) {
+ pd->dlf_size = fls(reg);
--- /dev/null
+From 4dd8752a14ca0303fbdf0a6c68ff65f0a50bd2fa Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Thu, 13 Jul 2023 16:57:41 +0200
+Subject: serial: qcom-geni: drop bogus runtime pm state update
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 4dd8752a14ca0303fbdf0a6c68ff65f0a50bd2fa upstream.
+
+The runtime PM state should not be changed by drivers that do not
+implement runtime PM even if it happens to work around a bug in PM core.
+
+With the wake irq arming now fixed, drop the bogus runtime PM state
+update which left the device in active state (and could potentially
+prevent a parent device from suspending).
+
+Fixes: f3974413cf02 ("tty: serial: qcom_geni_serial: Wakeup IRQ cleanup")
+Cc: 5.6+ <stable@vger.kernel.org> # 5.6+
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/qcom_geni_serial.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/drivers/tty/serial/qcom_geni_serial.c
++++ b/drivers/tty/serial/qcom_geni_serial.c
+@@ -1495,13 +1495,6 @@ static int qcom_geni_serial_probe(struct
+ if (ret)
+ return ret;
+
+- /*
+- * Set pm_runtime status as ACTIVE so that wakeup_irq gets
+- * enabled/disabled from dev_pm_arm_wake_irq during system
+- * suspend/resume respectively.
+- */
+- pm_runtime_set_active(&pdev->dev);
+-
+ if (port->wakeup_irq > 0) {
+ device_init_wakeup(&pdev->dev, true);
+ ret = dev_pm_set_dedicated_wake_irq(&pdev->dev,
--- /dev/null
+From 9b8fef6345d5487137d4193bb0a0eae2203c284e Mon Sep 17 00:00:00 2001
+From: Samuel Holland <samuel.holland@sifive.com>
+Date: Fri, 23 Jun 2023 23:01:59 -0700
+Subject: serial: sifive: Fix sifive_serial_console_setup() section
+
+From: Samuel Holland <samuel.holland@sifive.com>
+
+commit 9b8fef6345d5487137d4193bb0a0eae2203c284e upstream.
+
+This function is called indirectly from the platform driver probe
+function. Even if the driver is built in, it may be probed after
+free_initmem() due to deferral or unbinding/binding via sysfs.
+Thus the function cannot be marked as __init.
+
+Fixes: 45c054d0815b ("tty: serial: add driver for the SiFive UART")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
+Link: https://lore.kernel.org/r/20230624060159.3401369-1-samuel.holland@sifive.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sifive.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/sifive.c
++++ b/drivers/tty/serial/sifive.c
+@@ -832,7 +832,7 @@ static void sifive_serial_console_write(
+ local_irq_restore(flags);
+ }
+
+-static int __init sifive_serial_console_setup(struct console *co, char *options)
++static int sifive_serial_console_setup(struct console *co, char *options)
+ {
+ struct sifive_serial_port *ssp;
+ int baud = SIFIVE_DEFAULT_BAUD_RATE;
ata-pata_ns87415-mark-ns87560_tf_read-static.patch
ring-buffer-fix-wrong-stat-of-cpu_buffer-read.patch
tracing-fix-warning-in-trace_buffered_event_disable.patch
+revert-usb-gadget-tegra-xudc-fix-error-check-in-tegra_xudc_powerdomain_init.patch
+usb-gadget-call-usb_gadget_check_config-to-verify-udc-capability.patch
+usb-gadget-fix-the-memory-leak-in-raw_gadget-driver.patch
+usb-gadget-core-remove-unbalanced-mutex_unlock-in-usb_gadget_activate.patch
+kvm-grab-a-reference-to-kvm-for-vm-and-vcpu-stats-file-descriptors.patch
+kvm-vmx-don-t-fudge-cr0-and-cr4-for-restricted-l2-guest.patch
+kvm-x86-disallow-kvm_set_sregs-2-if-incoming-cr0-is-invalid.patch
+serial-qcom-geni-drop-bogus-runtime-pm-state-update.patch
+serial-8250_dw-preserve-original-value-of-dlf-register.patch
+serial-sifive-fix-sifive_serial_console_setup-section.patch
+usb-serial-option-support-quectel-em060k_128.patch
+usb-serial-option-add-quectel-ec200a-module-support.patch
+usb-serial-simple-add-kaufmann-rks-can-vcp.patch
+usb-serial-simple-sort-driver-entries.patch
+can-gs_usb-gs_can_close-add-missing-set-of-can-state-to-can_state_stopped.patch
+usb-typec-set-port-pd-before-adding-device-for-typec_port.patch
+usb-typec-iterate-pds-array-when-showing-the-pd-list.patch
+usb-typec-use-sysfs_emit_at-when-concatenating-the-string.patch
+revert-usb-dwc3-core-enable-autoretry-feature-in-the-controller.patch
+usb-dwc3-pci-skip-byt-gpio-lookup-table-for-hardwired-phy.patch
+usb-dwc3-don-t-reset-device-side-if-dwc3-was-configured-as-host-only.patch
+usb-misc-ehset-fix-wrong-if-condition.patch
+usb-ohci-at91-fix-the-unhandle-interrupt-when-resume.patch
+usb-quirks-add-quirk-for-focusrite-scarlett.patch
+usb-cdns3-fix-incorrect-calculation-of-ep_buf_size-when-more-than-one-config.patch
+usb-xhci-mtk-set-the-dma-max_seg_size.patch
+revert-usb-xhci-tegra-fix-error-check.patch
+documentation-security-bugs.rst-update-preferences-when-dealing-with-the-linux-distros-group.patch
+documentation-security-bugs.rst-clarify-cve-handling.patch
+staging-r8712-fix-memory-leak-in-_r8712_init_xmit_priv.patch
+staging-ks7010-potential-buffer-overflow-in-ks_wlan_set_encode_ext.patch
+tty-n_gsm-fix-uaf-in-gsm_cleanup_mux.patch
+revert-xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch
+alsa-hda-realtek-support-asus-g713pv-laptop.patch
+alsa-hda-relatek-enable-mute-led-on-hp-250-g8.patch
+hwmon-k10temp-enable-amd3255-proc-to-show-negative-temperature.patch
+hwmon-nct7802-fix-for-temp6-peci1-processed-even-if-peci1-disabled.patch
+btrfs-account-block-group-tree-when-calculating-global-reserve-size.patch
+btrfs-check-if-the-transaction-was-aborted-at-btrfs_wait_for_commit.patch
+btrfs-check-for-commit-error-at-btrfs_attach_transaction_barrier.patch
+x86-mce-amd-decrement-threshold_bank-refcount-when-removing-threshold-blocks.patch
+file-always-lock-position-for-fmode_atomic_pos.patch
+nfsd-remove-incorrect-check-in-nfsd4_validate_stateid.patch
+acpi-iort-remove-erroneous-id_count-check-in-iort_node_get_rmr_info.patch
+tpm_tis-explicitly-check-for-error-code.patch
--- /dev/null
+From 5f1c7031e044cb2fba82836d55cc235e2ad619dc Mon Sep 17 00:00:00 2001
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+Date: Sun, 9 Jul 2023 13:50:07 +0800
+Subject: staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+commit 5f1c7031e044cb2fba82836d55cc235e2ad619dc upstream.
+
+The "exc->key_len" is a u16 that comes from the user. If it's over
+IW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption.
+
+Fixes: b121d84882b9 ("staging: ks7010: simplify calls to memcpy()")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/tencent_5153B668C0283CAA15AA518325346E026A09@qq.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/ks7010/ks_wlan_net.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/ks7010/ks_wlan_net.c
++++ b/drivers/staging/ks7010/ks_wlan_net.c
+@@ -1584,8 +1584,10 @@ static int ks_wlan_set_encode_ext(struct
+ commit |= SME_WEP_FLAG;
+ }
+ if (enc->key_len) {
+- memcpy(&key->key_val[0], &enc->key[0], enc->key_len);
+- key->key_len = enc->key_len;
++ int key_len = clamp_val(enc->key_len, 0, IW_ENCODING_TOKEN_MAX);
++
++ memcpy(&key->key_val[0], &enc->key[0], key_len);
++ key->key_len = key_len;
+ commit |= (SME_WEP_VAL1 << index);
+ }
+ break;
--- /dev/null
+From ac83631230f77dda94154ed0ebfd368fc81c70a3 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Fri, 14 Jul 2023 12:54:17 -0500
+Subject: staging: r8712: Fix memory leak in _r8712_init_xmit_priv()
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit ac83631230f77dda94154ed0ebfd368fc81c70a3 upstream.
+
+In the above mentioned routine, memory is allocated in several places.
+If the first succeeds and a later one fails, the routine will leak memory.
+This patch fixes commit 2865d42c78a9 ("staging: r8712u: Add the new driver
+to the mainline kernel"). A potential memory leak in
+r8712_xmit_resource_alloc() is also addressed.
+
+Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
+Reported-by: syzbot+cf71097ffb6755df8251@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/x/log.txt?x=11ac3fa0a80000
+Cc: stable@vger.kernel.org
+Cc: Nam Cao <namcaov@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Reviewed-by: Nam Cao <namcaov@gmail.com>
+Link: https://lore.kernel.org/r/20230714175417.18578-1-Larry.Finger@lwfinger.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8712/rtl871x_xmit.c | 43 ++++++++++++++++++++++++++-------
+ drivers/staging/rtl8712/xmit_linux.c | 6 ++++
+ 2 files changed, 40 insertions(+), 9 deletions(-)
+
+--- a/drivers/staging/rtl8712/rtl871x_xmit.c
++++ b/drivers/staging/rtl8712/rtl871x_xmit.c
+@@ -21,6 +21,7 @@
+ #include "osdep_intf.h"
+ #include "usb_ops.h"
+
++#include <linux/usb.h>
+ #include <linux/ieee80211.h>
+
+ static const u8 P802_1H_OUI[P80211_OUI_LEN] = {0x00, 0x00, 0xf8};
+@@ -55,6 +56,7 @@ int _r8712_init_xmit_priv(struct xmit_pr
+ sint i;
+ struct xmit_buf *pxmitbuf;
+ struct xmit_frame *pxframe;
++ int j;
+
+ memset((unsigned char *)pxmitpriv, 0, sizeof(struct xmit_priv));
+ spin_lock_init(&pxmitpriv->lock);
+@@ -117,11 +119,8 @@ int _r8712_init_xmit_priv(struct xmit_pr
+ _init_queue(&pxmitpriv->pending_xmitbuf_queue);
+ pxmitpriv->pallocated_xmitbuf =
+ kmalloc(NR_XMITBUFF * sizeof(struct xmit_buf) + 4, GFP_ATOMIC);
+- if (!pxmitpriv->pallocated_xmitbuf) {
+- kfree(pxmitpriv->pallocated_frame_buf);
+- pxmitpriv->pallocated_frame_buf = NULL;
+- return -ENOMEM;
+- }
++ if (!pxmitpriv->pallocated_xmitbuf)
++ goto clean_up_frame_buf;
+ pxmitpriv->pxmitbuf = pxmitpriv->pallocated_xmitbuf + 4 -
+ ((addr_t)(pxmitpriv->pallocated_xmitbuf) & 3);
+ pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf;
+@@ -129,13 +128,17 @@ int _r8712_init_xmit_priv(struct xmit_pr
+ INIT_LIST_HEAD(&pxmitbuf->list);
+ pxmitbuf->pallocated_buf =
+ kmalloc(MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ, GFP_ATOMIC);
+- if (!pxmitbuf->pallocated_buf)
+- return -ENOMEM;
++ if (!pxmitbuf->pallocated_buf) {
++ j = 0;
++ goto clean_up_alloc_buf;
++ }
+ pxmitbuf->pbuf = pxmitbuf->pallocated_buf + XMITBUF_ALIGN_SZ -
+ ((addr_t) (pxmitbuf->pallocated_buf) &
+ (XMITBUF_ALIGN_SZ - 1));
+- if (r8712_xmit_resource_alloc(padapter, pxmitbuf))
+- return -ENOMEM;
++ if (r8712_xmit_resource_alloc(padapter, pxmitbuf)) {
++ j = 1;
++ goto clean_up_alloc_buf;
++ }
+ list_add_tail(&pxmitbuf->list,
+ &(pxmitpriv->free_xmitbuf_queue.queue));
+ pxmitbuf++;
+@@ -146,6 +149,28 @@ int _r8712_init_xmit_priv(struct xmit_pr
+ init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
+ tasklet_setup(&pxmitpriv->xmit_tasklet, r8712_xmit_bh);
+ return 0;
++
++clean_up_alloc_buf:
++ if (j) {
++ /* failure happened in r8712_xmit_resource_alloc()
++ * delete extra pxmitbuf->pallocated_buf
++ */
++ kfree(pxmitbuf->pallocated_buf);
++ }
++ for (j = 0; j < i; j++) {
++ int k;
++
++ pxmitbuf--; /* reset pointer */
++ kfree(pxmitbuf->pallocated_buf);
++ for (k = 0; k < 8; k++) /* delete xmit urb's */
++ usb_free_urb(pxmitbuf->pxmit_urb[k]);
++ }
++ kfree(pxmitpriv->pallocated_xmitbuf);
++ pxmitpriv->pallocated_xmitbuf = NULL;
++clean_up_frame_buf:
++ kfree(pxmitpriv->pallocated_frame_buf);
++ pxmitpriv->pallocated_frame_buf = NULL;
++ return -ENOMEM;
+ }
+
+ void _free_xmit_priv(struct xmit_priv *pxmitpriv)
+--- a/drivers/staging/rtl8712/xmit_linux.c
++++ b/drivers/staging/rtl8712/xmit_linux.c
+@@ -112,6 +112,12 @@ int r8712_xmit_resource_alloc(struct _ad
+ for (i = 0; i < 8; i++) {
+ pxmitbuf->pxmit_urb[i] = usb_alloc_urb(0, GFP_KERNEL);
+ if (!pxmitbuf->pxmit_urb[i]) {
++ int k;
++
++ for (k = i - 1; k >= 0; k--) {
++ /* handle allocation errors part way through loop */
++ usb_free_urb(pxmitbuf->pxmit_urb[k]);
++ }
+ netdev_err(padapter->pnetdev, "pxmitbuf->pxmit_urb[i] == NULL\n");
+ return -ENOMEM;
+ }
--- /dev/null
+From 513253f8c293c0c8bd46d09d337fc892bf8f9f48 Mon Sep 17 00:00:00 2001
+From: Alexander Steffen <Alexander.Steffen@infineon.com>
+Date: Tue, 13 Jun 2023 20:02:56 +0200
+Subject: tpm_tis: Explicitly check for error code
+
+From: Alexander Steffen <Alexander.Steffen@infineon.com>
+
+commit 513253f8c293c0c8bd46d09d337fc892bf8f9f48 upstream.
+
+recv_data either returns the number of received bytes, or a negative value
+representing an error code. Adding the return value directly to the total
+number of received bytes therefore looks a little weird, since it might add
+a negative error code to a sum of bytes.
+
+The following check for size < expected usually makes the function return
+ETIME in that case, so it does not cause too many problems in practice. But
+to make the code look cleaner and because the caller might still be
+interested in the original error code, explicitly check for the presence of
+an error code and pass that through.
+
+Cc: stable@vger.kernel.org
+Fixes: cb5354253af2 ("[PATCH] tpm: spacing cleanups 2")
+Signed-off-by: Alexander Steffen <Alexander.Steffen@infineon.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -356,8 +356,13 @@ static int tpm_tis_recv(struct tpm_chip
+ goto out;
+ }
+
+- size += recv_data(chip, &buf[TPM_HEADER_SIZE],
+- expected - TPM_HEADER_SIZE);
++ rc = recv_data(chip, &buf[TPM_HEADER_SIZE],
++ expected - TPM_HEADER_SIZE);
++ if (rc < 0) {
++ size = rc;
++ goto out;
++ }
++ size += rc;
+ if (size < expected) {
+ dev_err(&chip->dev, "Unable to read remainder of result\n");
+ size = -ETIME;
--- /dev/null
+From 9b9c8195f3f0d74a826077fc1c01b9ee74907239 Mon Sep 17 00:00:00 2001
+From: Chaoyuan Peng <hedonistsmith@gmail.com>
+Date: Tue, 18 Jul 2023 04:39:43 +0000
+Subject: tty: n_gsm: fix UAF in gsm_cleanup_mux
+
+From: Chaoyuan Peng <hedonistsmith@gmail.com>
+
+commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239 upstream.
+
+In gsm_cleanup_mux() the 'gsm->dlci' pointer was not cleaned properly,
+leaving it a dangling pointer after gsm_dlci_release.
+This leads to use-after-free where 'gsm->dlci[0]' are freed and accessed
+by the subsequent gsm_cleanup_mux().
+
+Such is the case in the following call trace:
+
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
+ print_address_description+0x63/0x3b0 mm/kasan/report.c:248
+ __kasan_report mm/kasan/report.c:434 [inline]
+ kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
+ gsm_cleanup_mux+0x76a/0x850 drivers/tty/n_gsm.c:2397
+ gsm_config drivers/tty/n_gsm.c:2653 [inline]
+ gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986
+ tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:874 [inline]
+ __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+ </TASK>
+
+Allocated by task 3501:
+ kasan_save_stack mm/kasan/common.c:38 [inline]
+ kasan_set_track mm/kasan/common.c:46 [inline]
+ set_alloc_info mm/kasan/common.c:434 [inline]
+ ____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513
+ kasan_kmalloc include/linux/kasan.h:264 [inline]
+ kmem_cache_alloc_trace+0x143/0x290 mm/slub.c:3247
+ kmalloc include/linux/slab.h:591 [inline]
+ kzalloc include/linux/slab.h:721 [inline]
+ gsm_dlci_alloc+0x53/0x3a0 drivers/tty/n_gsm.c:1932
+ gsm_activate_mux+0x1c/0x330 drivers/tty/n_gsm.c:2438
+ gsm_config drivers/tty/n_gsm.c:2677 [inline]
+ gsmld_ioctl+0xd46/0x15b0 drivers/tty/n_gsm.c:2986
+ tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:874 [inline]
+ __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+Freed by task 3501:
+ kasan_save_stack mm/kasan/common.c:38 [inline]
+ kasan_set_track+0x4b/0x80 mm/kasan/common.c:46
+ kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
+ ____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366
+ kasan_slab_free include/linux/kasan.h:230 [inline]
+ slab_free_hook mm/slub.c:1705 [inline]
+ slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731
+ slab_free mm/slub.c:3499 [inline]
+ kfree+0xf1/0x270 mm/slub.c:4559
+ dlci_put drivers/tty/n_gsm.c:1988 [inline]
+ gsm_dlci_release drivers/tty/n_gsm.c:2021 [inline]
+ gsm_cleanup_mux+0x574/0x850 drivers/tty/n_gsm.c:2415
+ gsm_config drivers/tty/n_gsm.c:2653 [inline]
+ gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986
+ tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:874 [inline]
+ __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command")
+Signed-off-by: Chaoyuan Peng <hedonistsmith@gmail.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -2508,8 +2508,10 @@ static void gsm_cleanup_mux(struct gsm_m
+ gsm->has_devices = false;
+ }
+ for (i = NUM_DLCI - 1; i >= 0; i--)
+- if (gsm->dlci[i])
++ if (gsm->dlci[i]) {
+ gsm_dlci_release(gsm->dlci[i]);
++ gsm->dlci[i] = NULL;
++ }
+ mutex_unlock(&gsm->mutex);
+ /* Now wipe the queues */
+ tty_ldisc_flush(gsm->tty);
--- /dev/null
+From 2627335a1329a0d39d8d277994678571c4f21800 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Fri, 7 Jul 2023 19:00:15 -0400
+Subject: usb: cdns3: fix incorrect calculation of ep_buf_size when more than one config
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit 2627335a1329a0d39d8d277994678571c4f21800 upstream.
+
+Previously, the cdns3_gadget_check_config() function in the cdns3 driver
+mistakenly calculated the ep_buf_size by considering only one
+configuration's endpoint information because "claimed" will be clear after
+call usb_gadget_check_config().
+
+The fix involves checking the private flags EP_CLAIMED instead of relying
+on the "claimed" flag.
+
+Fixes: dce49449e04f ("usb: cdns3: allocate TX FIFO size according to composite EP number")
+Cc: stable <stable@kernel.org>
+Reported-by: Ravi Gunasekaran <r-gunasekaran@ti.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Tested-by: Ravi Gunasekaran <r-gunasekaran@ti.com>
+Link: https://lore.kernel.org/r/20230707230015.494999-2-Frank.Li@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdns3-gadget.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/cdns3/cdns3-gadget.c
++++ b/drivers/usb/cdns3/cdns3-gadget.c
+@@ -3012,12 +3012,14 @@ static int cdns3_gadget_udc_stop(struct
+ static int cdns3_gadget_check_config(struct usb_gadget *gadget)
+ {
+ struct cdns3_device *priv_dev = gadget_to_cdns3_device(gadget);
++ struct cdns3_endpoint *priv_ep;
+ struct usb_ep *ep;
+ int n_in = 0;
+ int total;
+
+ list_for_each_entry(ep, &gadget->ep_list, ep_list) {
+- if (ep->claimed && (ep->address & USB_DIR_IN))
++ priv_ep = ep_to_cdns3_ep(ep);
++ if ((priv_ep->flags & EP_CLAIMED) && (ep->address & USB_DIR_IN))
+ n_in++;
+ }
+
--- /dev/null
+From e835c0a4e23c38531dcee5ef77e8d1cf462658c7 Mon Sep 17 00:00:00 2001
+From: Jisheng Zhang <jszhang@kernel.org>
+Date: Wed, 28 Jun 2023 00:20:18 +0800
+Subject: usb: dwc3: don't reset device side if dwc3 was configured as host-only
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+commit e835c0a4e23c38531dcee5ef77e8d1cf462658c7 upstream.
+
+Commit c4a5153e87fd ("usb: dwc3: core: Power-off core/PHYs on
+system_suspend in host mode") replaces check for HOST only dr_mode with
+current_dr_role. But during booting, the current_dr_role isn't
+initialized, thus the device side reset is always issued even if dwc3
+was configured as host-only. What's more, on some platforms with host
+only dwc3, aways issuing device side reset by accessing device register
+block can cause kernel panic.
+
+Fixes: c4a5153e87fd ("usb: dwc3: core: Power-off core/PHYs on system_suspend in host mode")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20230627162018.739-1-jszhang@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -277,9 +277,9 @@ int dwc3_core_soft_reset(struct dwc3 *dw
+ /*
+ * We're resetting only the device side because, if we're in host mode,
+ * XHCI driver will reset the host block. If dwc3 was configured for
+- * host-only mode, then we can return early.
++ * host-only mode or current role is host, then we can return early.
+ */
+- if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST)
++ if (dwc->dr_mode == USB_DR_MODE_HOST || dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST)
+ return 0;
+
+ reg = dwc3_readl(dwc->regs, DWC3_DCTL);
--- /dev/null
+From b32b8f2b9542d8039f5468303a6ca78c1b5611a5 Mon Sep 17 00:00:00 2001
+From: Gratian Crisan <gratian.crisan@ni.com>
+Date: Wed, 26 Jul 2023 13:45:56 -0500
+Subject: usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy
+
+From: Gratian Crisan <gratian.crisan@ni.com>
+
+commit b32b8f2b9542d8039f5468303a6ca78c1b5611a5 upstream.
+
+Hardware based on the Bay Trail / BYT SoCs require an external ULPI phy for
+USB device-mode. The phy chip usually has its 'reset' and 'chip select'
+lines connected to GPIOs described by ACPI fwnodes in the DSDT table.
+
+Because of hardware with missing ACPI resources for the 'reset' and 'chip
+select' GPIOs commit 5741022cbdf3 ("usb: dwc3: pci: Add GPIO lookup table
+on platforms without ACPI GPIO resources") introduced a fallback
+gpiod_lookup_table with hard-coded mappings for Bay Trail devices.
+
+However there are existing Bay Trail based devices, like the National
+Instruments cRIO-903x series, where the phy chip has its 'reset' and
+'chip-select' lines always asserted in hardware via resistor pull-ups. On
+this hardware the phy chip is always enabled and the ACPI dsdt table is
+missing information not only for the 'chip-select' and 'reset' lines but
+also for the BYT GPIO controller itself "INT33FC".
+
+With the introduction of the gpiod_lookup_table initializing the USB
+device-mode on these hardware now errors out. The error comes from the
+gpiod_get_optional() calls in dwc3_pci_quirks() which will now return an
+-ENOENT error due to the missing ACPI entry for the INT33FC gpio controller
+used in the aforementioned table.
+
+This hardware used to work before because gpiod_get_optional() will return
+NULL instead of -ENOENT if no GPIO has been assigned to the requested
+function. The dwc3_pci_quirks() code for setting the 'cs' and 'reset' GPIOs
+was then skipped (due to the NULL return). This is the correct behavior in
+cases where the phy chip is hardwired and there are no GPIOs to control.
+
+Since the gpiod_lookup_table relies on the presence of INT33FC fwnode
+in ACPI tables only add the table if we know the entry for the INT33FC
+gpio controller is present. This allows Bay Trail based devices with
+hardwired dwc3 ULPI phys to continue working.
+
+Fixes: 5741022cbdf3 ("usb: dwc3: pci: Add GPIO lookup table on platforms without ACPI GPIO resources")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Gratian Crisan <gratian.crisan@ni.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230726184555.218091-2-gratian.crisan@ni.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -233,10 +233,12 @@ static int dwc3_pci_quirks(struct dwc3_p
+
+ /*
+ * A lot of BYT devices lack ACPI resource entries for
+- * the GPIOs, add a fallback mapping to the reference
++ * the GPIOs. If the ACPI entry for the GPIO controller
++ * is present add a fallback mapping to the reference
+ * design GPIOs which all boards seem to use.
+ */
+- gpiod_add_lookup_table(&platform_bytcr_gpios);
++ if (acpi_dev_present("INT33FC", NULL, -1))
++ gpiod_add_lookup_table(&platform_bytcr_gpios);
+
+ /*
+ * These GPIOs will turn on the USB2 PHY. Note that we have to
--- /dev/null
+From f4fc01af5b640bc39bd9403b5fd855345a2ad5f8 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Fri, 7 Jul 2023 19:00:14 -0400
+Subject: usb: gadget: call usb_gadget_check_config() to verify UDC capability
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit f4fc01af5b640bc39bd9403b5fd855345a2ad5f8 upstream.
+
+The legacy gadget driver omitted calling usb_gadget_check_config()
+to ensure that the USB device controller (UDC) has adequate resources,
+including sufficient endpoint numbers and types, to support the given
+configuration.
+
+Previously, usb_add_config() was solely invoked by the legacy gadget
+driver. Adds the necessary usb_gadget_check_config() after the bind()
+operation to fix the issue.
+
+Fixes: dce49449e04f ("usb: cdns3: allocate TX FIFO size according to composite EP number")
+Cc: stable <stable@kernel.org>
+Reported-by: Ravi Gunasekaran <r-gunasekaran@ti.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20230707230015.494999-1-Frank.Li@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1029,6 +1029,10 @@ int usb_add_config(struct usb_composite_
+ goto done;
+
+ status = bind(config);
++
++ if (status == 0)
++ status = usb_gadget_check_config(cdev->gadget);
++
+ if (status < 0) {
+ while (!list_empty(&config->functions)) {
+ struct usb_function *f;
--- /dev/null
+From 6237390644fb92b81f5262877fe545d0d2c7b5d7 Mon Sep 17 00:00:00 2001
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Date: Sat, 22 Jul 2023 00:22:56 +0200
+Subject: usb: gadget: core: remove unbalanced mutex_unlock in usb_gadget_activate
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+commit 6237390644fb92b81f5262877fe545d0d2c7b5d7 upstream.
+
+Commit 286d9975a838 ("usb: gadget: udc: core: Prevent soft_connect_store() race")
+introduced one extra mutex_unlock of connect_lock in the usb_gadget_active function.
+
+Fixes: 286d9975a838 ("usb: gadget: udc: core: Prevent soft_connect_store() race")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20230721222256.1743645-1-m.grzeschik@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -851,7 +851,6 @@ int usb_gadget_activate(struct usb_gadge
+ */
+ if (gadget->connected)
+ ret = usb_gadget_connect_locked(gadget);
+- mutex_unlock(&gadget->udc->connect_lock);
+
+ unlock:
+ mutex_unlock(&gadget->udc->connect_lock);
--- /dev/null
+From 83e30f2bf86ef7c38fbd476ed81a88522b620628 Mon Sep 17 00:00:00 2001
+From: Zqiang <qiang.zhang1211@gmail.com>
+Date: Fri, 14 Jul 2023 15:40:11 +0800
+Subject: USB: gadget: Fix the memory leak in raw_gadget driver
+
+From: Zqiang <qiang.zhang1211@gmail.com>
+
+commit 83e30f2bf86ef7c38fbd476ed81a88522b620628 upstream.
+
+Currently, increasing raw_dev->count happens before invoke the
+raw_queue_event(), if the raw_queue_event() return error, invoke
+raw_release() will not trigger the dev_free() to be called.
+
+[ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event
+[ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12
+[ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12
+[ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
+[ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16
+
+BUG: memory leak
+
+[<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
+[<ffffffff8347eb55>] kmalloc include/linux/slab.h:582 [inline]
+[<ffffffff8347eb55>] kzalloc include/linux/slab.h:703 [inline]
+[<ffffffff8347eb55>] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline]
+[<ffffffff8347eb55>] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385
+[<ffffffff827d1d09>] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165
+
+[<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
+[<ffffffff8347cd2f>] kmalloc include/linux/slab.h:582 [inline]
+[<ffffffff8347cd2f>] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460
+[<ffffffff8347dfe9>] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250
+[<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
+
+[<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
+[<ffffffff833ecc6a>] kmalloc include/linux/slab.h:582 [inline]
+[<ffffffff833ecc6a>] kzalloc include/linux/slab.h:703 [inline]
+[<ffffffff833ecc6a>] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665
+[<ffffffff833e9132>] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196
+[<ffffffff8347f13d>] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292
+
+This commit therefore invoke kref_get() under the condition that
+raw_queue_event() return success.
+
+Reported-by: syzbot+feb045d335c1fdde5bf7@syzkaller.appspotmail.com
+Cc: stable <stable@kernel.org>
+Closes: https://syzkaller.appspot.com/bug?extid=feb045d335c1fdde5bf7
+Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@gmail.com>
+Link: https://lore.kernel.org/r/20230714074011.20989-1-qiang.zhang1211@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/raw_gadget.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/raw_gadget.c
++++ b/drivers/usb/gadget/legacy/raw_gadget.c
+@@ -310,13 +310,15 @@ static int gadget_bind(struct usb_gadget
+ dev->eps_num = i;
+ spin_unlock_irqrestore(&dev->lock, flags);
+
+- /* Matches kref_put() in gadget_unbind(). */
+- kref_get(&dev->count);
+-
+ ret = raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL);
+- if (ret < 0)
++ if (ret < 0) {
+ dev_err(&gadget->dev, "failed to queue event\n");
++ set_gadget_data(gadget, NULL);
++ return ret;
++ }
+
++ /* Matches kref_put() in gadget_unbind(). */
++ kref_get(&dev->count);
+ return ret;
+ }
+
--- /dev/null
+From 7f2327666a9080e428166964e37548b0168cd5e9 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Wed, 5 Jul 2023 17:52:31 +0800
+Subject: usb: misc: ehset: fix wrong if condition
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 7f2327666a9080e428166964e37548b0168cd5e9 upstream.
+
+A negative number from ret means the host controller had failed to send
+usb message and 0 means succeed. Therefore, the if logic is wrong here
+and this patch will fix it.
+
+Fixes: f2b42379c576 ("usb: misc: ehset: Rework test mode entry")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20230705095231.457860-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/misc/ehset.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/misc/ehset.c
++++ b/drivers/usb/misc/ehset.c
+@@ -77,7 +77,7 @@ static int ehset_probe(struct usb_interf
+ switch (test_pid) {
+ case TEST_SE0_NAK_PID:
+ ret = ehset_prepare_port_for_testing(hub_udev, portnum);
+- if (!ret)
++ if (ret < 0)
+ break;
+ ret = usb_control_msg_send(hub_udev, 0, USB_REQ_SET_FEATURE,
+ USB_RT_PORT, USB_PORT_FEAT_TEST,
+@@ -86,7 +86,7 @@ static int ehset_probe(struct usb_interf
+ break;
+ case TEST_J_PID:
+ ret = ehset_prepare_port_for_testing(hub_udev, portnum);
+- if (!ret)
++ if (ret < 0)
+ break;
+ ret = usb_control_msg_send(hub_udev, 0, USB_REQ_SET_FEATURE,
+ USB_RT_PORT, USB_PORT_FEAT_TEST,
+@@ -95,7 +95,7 @@ static int ehset_probe(struct usb_interf
+ break;
+ case TEST_K_PID:
+ ret = ehset_prepare_port_for_testing(hub_udev, portnum);
+- if (!ret)
++ if (ret < 0)
+ break;
+ ret = usb_control_msg_send(hub_udev, 0, USB_REQ_SET_FEATURE,
+ USB_RT_PORT, USB_PORT_FEAT_TEST,
+@@ -104,7 +104,7 @@ static int ehset_probe(struct usb_interf
+ break;
+ case TEST_PACKET_PID:
+ ret = ehset_prepare_port_for_testing(hub_udev, portnum);
+- if (!ret)
++ if (ret < 0)
+ break;
+ ret = usb_control_msg_send(hub_udev, 0, USB_REQ_SET_FEATURE,
+ USB_RT_PORT, USB_PORT_FEAT_TEST,
--- /dev/null
+From c55afcbeaa7a6f4fffdbc999a9bf3f0b29a5186f Mon Sep 17 00:00:00 2001
+From: Guiting Shen <aarongt.shen@gmail.com>
+Date: Mon, 26 Jun 2023 23:27:13 +0800
+Subject: usb: ohci-at91: Fix the unhandle interrupt when resume
+
+From: Guiting Shen <aarongt.shen@gmail.com>
+
+commit c55afcbeaa7a6f4fffdbc999a9bf3f0b29a5186f upstream.
+
+The ohci_hcd_at91_drv_suspend() sets ohci->rh_state to OHCI_RH_HALTED when
+suspend which will let the ohci_irq() skip the interrupt after resume. And
+nobody to handle this interrupt.
+
+According to the comment in ohci_hcd_at91_drv_suspend(), it need to reset
+when resume from suspend(MEM) to fix by setting "hibernated" argument of
+ohci_resume().
+
+Signed-off-by: Guiting Shen <aarongt.shen@gmail.com>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20230626152713.18950-1-aarongt.shen@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/ohci-at91.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ohci-at91.c
++++ b/drivers/usb/host/ohci-at91.c
+@@ -673,7 +673,13 @@ ohci_hcd_at91_drv_resume(struct device *
+ else
+ at91_start_clock(ohci_at91);
+
+- ohci_resume(hcd, false);
++ /*
++ * According to the comment in ohci_hcd_at91_drv_suspend()
++ * we need to do a reset if the 48Mhz clock was stopped,
++ * that is, if ohci_at91->wakeup is clear. Tell ohci_resume()
++ * to reset in this case by setting its "hibernated" flag.
++ */
++ ohci_resume(hcd, !ohci_at91->wakeup);
+
+ return 0;
+ }
--- /dev/null
+From 9dc162e22387080e2d06de708b89920c0e158c9a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=81ukasz=20Bartosik?= <lb@semihalf.com>
+Date: Mon, 24 Jul 2023 13:29:11 +0200
+Subject: USB: quirks: add quirk for Focusrite Scarlett
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Łukasz Bartosik <lb@semihalf.com>
+
+commit 9dc162e22387080e2d06de708b89920c0e158c9a upstream.
+
+The Focusrite Scarlett audio device does not behave correctly during
+resumes. Below is what happens during every resume (captured with
+Beagle 5000):
+
+<Suspend>
+<Resume>
+<Reset>/<Chirp J>/<Tiny J>
+<Reset/Target disconnected>
+<High Speed>
+
+The Scarlett disconnects and is enumerated again.
+
+However from time to time it drops completely off the USB bus during
+resume. Below is captured occurrence of such an event:
+
+<Suspend>
+<Resume>
+<Reset>/<Chirp J>/<Tiny J>
+<Reset>/<Chirp K>/<Tiny K>
+<High Speed>
+<Corrupted packet>
+<Reset/Target disconnected>
+
+To fix the condition a user has to unplug and plug the device again.
+
+With USB_QUIRK_RESET_RESUME applied ("usbcore.quirks=1235:8211:b")
+for the Scarlett audio device the issue still reproduces.
+
+Applying USB_QUIRK_DISCONNECT_SUSPEND ("usbcore.quirks=1235:8211:m")
+fixed the issue and the Scarlett audio device didn't drop off the USB
+bus for ~5000 suspend/resume cycles where originally issue reproduced in
+~100 or less suspend/resume cycles.
+
+Signed-off-by: Łukasz Bartosik <lb@semihalf.com>
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/20230724112911.1802577-1-lb@semihalf.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -436,6 +436,10 @@ static const struct usb_device_id usb_qu
+ /* novation SoundControl XL */
+ { USB_DEVICE(0x1235, 0x0061), .driver_info = USB_QUIRK_RESET_RESUME },
+
++ /* Focusrite Scarlett Solo USB */
++ { USB_DEVICE(0x1235, 0x8211), .driver_info =
++ USB_QUIRK_DISCONNECT_SUSPEND },
++
+ /* Huawei 4G LTE module */
+ { USB_DEVICE(0x12d1, 0x15bb), .driver_info =
+ USB_QUIRK_DISCONNECT_SUSPEND },
--- /dev/null
+From 857ea9005806e2a458016880278f98715873e977 Mon Sep 17 00:00:00 2001
+From: Mohsen Tahmasebi <moh53n@moh53n.ir>
+Date: Mon, 10 Jul 2023 11:22:18 +0330
+Subject: USB: serial: option: add Quectel EC200A module support
+
+From: Mohsen Tahmasebi <moh53n@moh53n.ir>
+
+commit 857ea9005806e2a458016880278f98715873e977 upstream.
+
+Add Quectel EC200A "DIAG, AT, MODEM":
+
+0x6005: ECM / RNDIS + DIAG + AT + MODEM
+
+T: Bus=01 Lev=01 Prnt=02 Port=05 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=2c7c ProdID=6005 Rev=03.18
+S: Manufacturer=Android
+S: Product=Android
+S: SerialNumber=0000
+C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=89(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=4096ms
+
+Signed-off-by: Mohsen Tahmasebi <moh53n@moh53n.ir>
+Tested-by: Mostafa Ghofrani <mostafaghrr@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -269,6 +269,7 @@ static void option_instat_callback(struc
+ #define QUECTEL_PRODUCT_RM520N 0x0801
+ #define QUECTEL_PRODUCT_EC200U 0x0901
+ #define QUECTEL_PRODUCT_EC200S_CN 0x6002
++#define QUECTEL_PRODUCT_EC200A 0x6005
+ #define QUECTEL_PRODUCT_EM061K_LWW 0x6008
+ #define QUECTEL_PRODUCT_EM061K_LCN 0x6009
+ #define QUECTEL_PRODUCT_EC200T 0x6026
+@@ -1229,6 +1230,7 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, 0x0900, 0xff, 0, 0), /* RM500U-CN */
+ .driver_info = ZLP },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200A, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200U, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) },
--- /dev/null
+From 4f7cab49cecee16120d27c1734cfdf3d6c0e5329 Mon Sep 17 00:00:00 2001
+From: Jerry Meng <jerry-meng@foxmail.com>
+Date: Thu, 29 Jun 2023 17:35:22 +0800
+Subject: USB: serial: option: support Quectel EM060K_128
+
+From: Jerry Meng <jerry-meng@foxmail.com>
+
+commit 4f7cab49cecee16120d27c1734cfdf3d6c0e5329 upstream.
+
+EM060K_128 is EM060K's sub-model, having the same name "Quectel EM060K-GL"
+
+MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL
+
+T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 8 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2c7c ProdID=0128 Rev= 5.04
+S: Manufacturer=Quectel
+S: Product=Quectel EM060K-GL
+S: SerialNumber=f6fa08b6
+C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
+E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
+E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Jerry Meng <jerry-meng@foxmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -251,6 +251,7 @@ static void option_instat_callback(struc
+ #define QUECTEL_PRODUCT_EM061K_LTA 0x0123
+ #define QUECTEL_PRODUCT_EM061K_LMS 0x0124
+ #define QUECTEL_PRODUCT_EC25 0x0125
++#define QUECTEL_PRODUCT_EM060K_128 0x0128
+ #define QUECTEL_PRODUCT_EG91 0x0191
+ #define QUECTEL_PRODUCT_EG95 0x0195
+ #define QUECTEL_PRODUCT_BG96 0x0296
+@@ -1197,6 +1198,9 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0x00, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0xff, 0x30) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0xff, 0x40) },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K_128, 0xff, 0xff, 0x30) },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K_128, 0xff, 0x00, 0x40) },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K_128, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LCN, 0xff, 0xff, 0x30) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LCN, 0xff, 0x00, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM061K_LCN, 0xff, 0xff, 0x40) },
--- /dev/null
+From dd92c8a1f99bcd166204ffc219ea5a23dd65d64f Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 12 Jul 2023 16:16:41 +0200
+Subject: USB: serial: simple: add Kaufmann RKS+CAN VCP
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit dd92c8a1f99bcd166204ffc219ea5a23dd65d64f upstream.
+
+Add the device and product ID for this CAN bus interface / license
+dongle. The device is usable either directly from user space or can be
+attached to a kernel CAN interface with slcan_attach.
+
+Reported-by: Kaufmann Automotive GmbH <info@kaufmann-automotive.ch>
+Tested-by: Kaufmann Automotive GmbH <info@kaufmann-automotive.ch>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+[ johan: amend commit message and move entries in sort order ]
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/usb-serial-simple.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -63,6 +63,11 @@ DEVICE(flashloader, FLASHLOADER_IDS);
+ 0x01) }
+ DEVICE(google, GOOGLE_IDS);
+
++/* KAUFMANN RKS+CAN VCP */
++#define KAUFMANN_IDS() \
++ { USB_DEVICE(0x16d0, 0x0870) }
++DEVICE(kaufmann, KAUFMANN_IDS);
++
+ /* Libtransistor USB console */
+ #define LIBTRANSISTOR_IDS() \
+ { USB_DEVICE(0x1209, 0x8b00) }
+@@ -124,6 +129,7 @@ static struct usb_serial_driver * const
+ &funsoft_device,
+ &flashloader_device,
+ &google_device,
++ &kaufmann_device,
+ &libtransistor_device,
+ &vivopay_device,
+ &moto_modem_device,
+@@ -142,6 +148,7 @@ static const struct usb_device_id id_tab
+ FUNSOFT_IDS(),
+ FLASHLOADER_IDS(),
+ GOOGLE_IDS(),
++ KAUFMANN_IDS(),
+ LIBTRANSISTOR_IDS(),
+ VIVOPAY_IDS(),
+ MOTO_IDS(),
--- /dev/null
+From d245aedc00775c4d7265a9f4522cc4e1fd34d102 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 20 Jul 2023 09:53:57 +0200
+Subject: USB: serial: simple: sort driver entries
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d245aedc00775c4d7265a9f4522cc4e1fd34d102 upstream.
+
+Sort the driver symbols alphabetically in order to make it more obvious
+where new driver entries should be added.
+
+Cc: stable@vger.kernel.org
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/usb-serial-simple.c | 66 ++++++++++++++++-----------------
+ 1 file changed, 33 insertions(+), 33 deletions(-)
+
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -38,16 +38,6 @@ static struct usb_serial_driver vendor##
+ { USB_DEVICE(0x0a21, 0x8001) } /* MMT-7305WW */
+ DEVICE(carelink, CARELINK_IDS);
+
+-/* ZIO Motherboard USB driver */
+-#define ZIO_IDS() \
+- { USB_DEVICE(0x1CBE, 0x0103) }
+-DEVICE(zio, ZIO_IDS);
+-
+-/* Funsoft Serial USB driver */
+-#define FUNSOFT_IDS() \
+- { USB_DEVICE(0x1404, 0xcddc) }
+-DEVICE(funsoft, FUNSOFT_IDS);
+-
+ /* Infineon Flashloader driver */
+ #define FLASHLOADER_IDS() \
+ { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
+@@ -55,6 +45,11 @@ DEVICE(funsoft, FUNSOFT_IDS);
+ { USB_DEVICE(0x8087, 0x0801) }
+ DEVICE(flashloader, FLASHLOADER_IDS);
+
++/* Funsoft Serial USB driver */
++#define FUNSOFT_IDS() \
++ { USB_DEVICE(0x1404, 0xcddc) }
++DEVICE(funsoft, FUNSOFT_IDS);
++
+ /* Google Serial USB SubClass */
+ #define GOOGLE_IDS() \
+ { USB_VENDOR_AND_INTERFACE_INFO(0x18d1, \
+@@ -63,6 +58,11 @@ DEVICE(flashloader, FLASHLOADER_IDS);
+ 0x01) }
+ DEVICE(google, GOOGLE_IDS);
+
++/* HP4x (48/49) Generic Serial driver */
++#define HP4X_IDS() \
++ { USB_DEVICE(0x03f0, 0x0121) }
++DEVICE(hp4x, HP4X_IDS);
++
+ /* KAUFMANN RKS+CAN VCP */
+ #define KAUFMANN_IDS() \
+ { USB_DEVICE(0x16d0, 0x0870) }
+@@ -73,11 +73,6 @@ DEVICE(kaufmann, KAUFMANN_IDS);
+ { USB_DEVICE(0x1209, 0x8b00) }
+ DEVICE(libtransistor, LIBTRANSISTOR_IDS);
+
+-/* ViVOpay USB Serial Driver */
+-#define VIVOPAY_IDS() \
+- { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */
+-DEVICE(vivopay, VIVOPAY_IDS);
+-
+ /* Motorola USB Phone driver */
+ #define MOTO_IDS() \
+ { USB_DEVICE(0x05c6, 0x3197) }, /* unknown Motorola phone */ \
+@@ -106,10 +101,10 @@ DEVICE(nokia, NOKIA_IDS);
+ { USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */
+ DEVICE_N(novatel_gps, NOVATEL_IDS, 3);
+
+-/* HP4x (48/49) Generic Serial driver */
+-#define HP4X_IDS() \
+- { USB_DEVICE(0x03f0, 0x0121) }
+-DEVICE(hp4x, HP4X_IDS);
++/* Siemens USB/MPI adapter */
++#define SIEMENS_IDS() \
++ { USB_DEVICE(0x908, 0x0004) }
++DEVICE(siemens_mpi, SIEMENS_IDS);
+
+ /* Suunto ANT+ USB Driver */
+ #define SUUNTO_IDS() \
+@@ -117,47 +112,52 @@ DEVICE(hp4x, HP4X_IDS);
+ { USB_DEVICE(0x0fcf, 0x1009) } /* Dynastream ANT USB-m Stick */
+ DEVICE(suunto, SUUNTO_IDS);
+
+-/* Siemens USB/MPI adapter */
+-#define SIEMENS_IDS() \
+- { USB_DEVICE(0x908, 0x0004) }
+-DEVICE(siemens_mpi, SIEMENS_IDS);
++/* ViVOpay USB Serial Driver */
++#define VIVOPAY_IDS() \
++ { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */
++DEVICE(vivopay, VIVOPAY_IDS);
++
++/* ZIO Motherboard USB driver */
++#define ZIO_IDS() \
++ { USB_DEVICE(0x1CBE, 0x0103) }
++DEVICE(zio, ZIO_IDS);
+
+ /* All of the above structures mushed into two lists */
+ static struct usb_serial_driver * const serial_drivers[] = {
+ &carelink_device,
+- &zio_device,
+- &funsoft_device,
+ &flashloader_device,
++ &funsoft_device,
+ &google_device,
++ &hp4x_device,
+ &kaufmann_device,
+ &libtransistor_device,
+- &vivopay_device,
+ &moto_modem_device,
+ &motorola_tetra_device,
+ &nokia_device,
+ &novatel_gps_device,
+- &hp4x_device,
+- &suunto_device,
+ &siemens_mpi_device,
++ &suunto_device,
++ &vivopay_device,
++ &zio_device,
+ NULL
+ };
+
+ static const struct usb_device_id id_table[] = {
+ CARELINK_IDS(),
+- ZIO_IDS(),
+- FUNSOFT_IDS(),
+ FLASHLOADER_IDS(),
++ FUNSOFT_IDS(),
+ GOOGLE_IDS(),
++ HP4X_IDS(),
+ KAUFMANN_IDS(),
+ LIBTRANSISTOR_IDS(),
+- VIVOPAY_IDS(),
+ MOTO_IDS(),
+ MOTOROLA_TETRA_IDS(),
+ NOKIA_IDS(),
+ NOVATEL_IDS(),
+- HP4X_IDS(),
+- SUUNTO_IDS(),
+ SIEMENS_IDS(),
++ SUUNTO_IDS(),
++ VIVOPAY_IDS(),
++ ZIO_IDS(),
+ { },
+ };
+ MODULE_DEVICE_TABLE(usb, id_table);
--- /dev/null
+From 4b642dc9829507e4afabc03d32a18abbdb192c5e Mon Sep 17 00:00:00 2001
+From: Kyle Tso <kyletso@google.com>
+Date: Fri, 23 Jun 2023 23:10:35 +0800
+Subject: usb: typec: Iterate pds array when showing the pd list
+
+From: Kyle Tso <kyletso@google.com>
+
+commit 4b642dc9829507e4afabc03d32a18abbdb192c5e upstream.
+
+The pointers of each usb_power_delivery handles are stored in "pds"
+array returned from the pd_get ops but not in the adjacent memory
+calculated from "pd". Get the handles from "pds" array directly instead
+of deriving them from "pd".
+
+Fixes: a7cff92f0635 ("usb: typec: USB Power Delivery helpers for ports and partners")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kyle Tso <kyletso@google.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20230623151036.3955013-3-kyletso@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/class.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/typec/class.c
++++ b/drivers/usb/typec/class.c
+@@ -1258,8 +1258,7 @@ static ssize_t select_usb_power_delivery
+ {
+ struct typec_port *port = to_typec_port(dev);
+ struct usb_power_delivery **pds;
+- struct usb_power_delivery *pd;
+- int ret = 0;
++ int i, ret = 0;
+
+ if (!port->ops || !port->ops->pd_get)
+ return -EOPNOTSUPP;
+@@ -1268,11 +1267,11 @@ static ssize_t select_usb_power_delivery
+ if (!pds)
+ return 0;
+
+- for (pd = pds[0]; pd; pd++) {
+- if (pd == port->pd)
+- ret += sysfs_emit(buf + ret, "[%s] ", dev_name(&pd->dev));
++ for (i = 0; pds[i]; i++) {
++ if (pds[i] == port->pd)
++ ret += sysfs_emit(buf + ret, "[%s] ", dev_name(&pds[i]->dev));
+ else
+- ret += sysfs_emit(buf + ret, "%s ", dev_name(&pd->dev));
++ ret += sysfs_emit(buf + ret, "%s ", dev_name(&pds[i]->dev));
+ }
+
+ buf[ret - 1] = '\n';
--- /dev/null
+From b33ebb2415e7e0a55ee3d049c2890d3a3e3805b6 Mon Sep 17 00:00:00 2001
+From: Kyle Tso <kyletso@google.com>
+Date: Fri, 23 Jun 2023 23:10:34 +0800
+Subject: usb: typec: Set port->pd before adding device for typec_port
+
+From: Kyle Tso <kyletso@google.com>
+
+commit b33ebb2415e7e0a55ee3d049c2890d3a3e3805b6 upstream.
+
+When calling device_add in the registration of typec_port, it will do
+the NULL check on usb_power_delivery handle in typec_port for the
+visibility of the device attributes. It is always NULL because port->pd
+is set in typec_port_set_usb_power_delivery which is later than the
+device_add call.
+
+Set port->pd before device_add and only link the device after that.
+
+Fixes: a7cff92f0635 ("usb: typec: USB Power Delivery helpers for ports and partners")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kyle Tso <kyletso@google.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20230623151036.3955013-2-kyletso@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/class.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/class.c
++++ b/drivers/usb/typec/class.c
+@@ -2259,6 +2259,8 @@ struct typec_port *typec_register_port(s
+ return ERR_PTR(ret);
+ }
+
++ port->pd = cap->pd;
++
+ ret = device_add(&port->dev);
+ if (ret) {
+ dev_err(parent, "failed to register port (%d)\n", ret);
+@@ -2266,7 +2268,7 @@ struct typec_port *typec_register_port(s
+ return ERR_PTR(ret);
+ }
+
+- ret = typec_port_set_usb_power_delivery(port, cap->pd);
++ ret = usb_power_delivery_link_device(port->pd, &port->dev);
+ if (ret) {
+ dev_err(&port->dev, "failed to link pd\n");
+ device_unregister(&port->dev);
--- /dev/null
+From 609fded3f91972ada551c141c5d04a71704f8967 Mon Sep 17 00:00:00 2001
+From: Kyle Tso <kyletso@google.com>
+Date: Fri, 23 Jun 2023 23:10:36 +0800
+Subject: usb: typec: Use sysfs_emit_at when concatenating the string
+
+From: Kyle Tso <kyletso@google.com>
+
+commit 609fded3f91972ada551c141c5d04a71704f8967 upstream.
+
+The buffer address used in sysfs_emit should be aligned to PAGE_SIZE.
+Use sysfs_emit_at instead to offset the buffer.
+
+Fixes: a7cff92f0635 ("usb: typec: USB Power Delivery helpers for ports and partners")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kyle Tso <kyletso@google.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20230623151036.3955013-4-kyletso@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/class.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/typec/class.c
++++ b/drivers/usb/typec/class.c
+@@ -1269,9 +1269,9 @@ static ssize_t select_usb_power_delivery
+
+ for (i = 0; pds[i]; i++) {
+ if (pds[i] == port->pd)
+- ret += sysfs_emit(buf + ret, "[%s] ", dev_name(&pds[i]->dev));
++ ret += sysfs_emit_at(buf, ret, "[%s] ", dev_name(&pds[i]->dev));
+ else
+- ret += sysfs_emit(buf + ret, "%s ", dev_name(&pds[i]->dev));
++ ret += sysfs_emit_at(buf, ret, "%s ", dev_name(&pds[i]->dev));
+ }
+
+ buf[ret - 1] = '\n';
--- /dev/null
+From 9fd10829a9eb482e192a845675ecc5480e0bfa10 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Wed, 19 Jul 2023 13:01:04 +0000
+Subject: usb: xhci-mtk: set the dma max_seg_size
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 9fd10829a9eb482e192a845675ecc5480e0bfa10 upstream.
+
+Allow devices to have dma operations beyond 64K, and avoid warnings such
+as:
+
+DMA-API: xhci-mtk 11200000.usb: mapping sg segment longer than device claims to support [len=98304] [max=65536]
+
+Fixes: 0cbd4b34cda9 ("xhci: mediatek: support MTK xHCI host controller")
+Cc: stable <stable@kernel.org>
+Tested-by: Zubin Mithra <zsm@chromium.org>
+Reported-by: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20230628-mtk-usb-v2-1-c8c34eb9f229@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mtk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-mtk.c
++++ b/drivers/usb/host/xhci-mtk.c
+@@ -590,6 +590,7 @@ static int xhci_mtk_probe(struct platfor
+ }
+
+ device_init_wakeup(dev, true);
++ dma_set_max_seg_size(dev, UINT_MAX);
+
+ xhci = hcd_to_xhci(hcd);
+ xhci->main_hcd = hcd;
--- /dev/null
+From 3ba2e83334bed2b1980b59734e6e84dfaf96026c Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Mon, 6 Jun 2022 19:45:56 +0000
+Subject: x86/MCE/AMD: Decrement threshold_bank refcount when removing threshold blocks
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+commit 3ba2e83334bed2b1980b59734e6e84dfaf96026c upstream.
+
+AMD systems from Family 10h to 16h share MCA bank 4 across multiple CPUs.
+Therefore, the threshold_bank structure for bank 4, and its threshold_block
+structures, will be initialized once at boot time. And the kobject for the
+shared bank will be added to each of the CPUs that share it. Furthermore,
+the threshold_blocks for the shared bank will be added again to the bank's
+kobject. These additions will increase the refcount for the bank's kobject.
+
+For example, a shared bank with two blocks and shared across two CPUs will
+be set up like this:
+
+ CPU0 init
+ bank create and add; bank refcount = 1; threshold_create_bank()
+ block 0 init and add; bank refcount = 2; allocate_threshold_blocks()
+ block 1 init and add; bank refcount = 3; allocate_threshold_blocks()
+ CPU1 init
+ bank add; bank refcount = 3; threshold_create_bank()
+ block 0 add; bank refcount = 4; __threshold_add_blocks()
+ block 1 add; bank refcount = 5; __threshold_add_blocks()
+
+Currently in threshold_remove_bank(), if the bank is shared then
+__threshold_remove_blocks() is called. Here the shared bank's kobject and
+the bank's blocks' kobjects are deleted. This is done on the first call
+even while the structures are still shared. Subsequent calls from other
+CPUs that share the structures will attempt to delete the kobjects.
+
+During kobject_del(), kobject->sd is removed. If the kobject is not part of
+a kset with default_groups, then subsequent kobject_del() calls seem safe
+even with kobject->sd == NULL.
+
+Originally, the AMD MCA thresholding structures did not use default_groups.
+And so the above behavior was not apparent.
+
+However, a recent change implemented default_groups for the thresholding
+structures. Therefore, kobject_del() will go down the sysfs_remove_groups()
+code path. In this case, the first kobject_del() may succeed and remove
+kobject->sd. But subsequent kobject_del() calls will give a WARNing in
+kernfs_remove_by_name_ns() since kobject->sd == NULL.
+
+Use kobject_put() on the shared bank's kobject when "removing" blocks. This
+decrements the bank's refcount while keeping kobjects enabled until the
+bank is no longer shared. At that point, kobject_put() will be called on
+the blocks which drives their refcount to 0 and deletes them and also
+decrementing the bank's refcount. And finally kobject_put() will be called
+on the bank driving its refcount to 0 and deleting it.
+
+The same example above:
+
+ CPU1 shutdown
+ bank is shared; bank refcount = 5; threshold_remove_bank()
+ block 0 put parent bank; bank refcount = 4; __threshold_remove_blocks()
+ block 1 put parent bank; bank refcount = 3; __threshold_remove_blocks()
+ CPU0 shutdown
+ bank is no longer shared; bank refcount = 3; threshold_remove_bank()
+ block 0 put block; bank refcount = 2; deallocate_threshold_blocks()
+ block 1 put block; bank refcount = 1; deallocate_threshold_blocks()
+ put bank; bank refcount = 0; threshold_remove_bank()
+
+Fixes: 7f99cb5e6039 ("x86/CPU/AMD: Use default_groups in kobj_type")
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: <stable@kernel.org>
+Link: https://lore.kernel.org/r/alpine.LRH.2.02.2205301145540.25840@file01.intranet.prod.int.rdu2.redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mce/amd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mce/amd.c
++++ b/arch/x86/kernel/cpu/mce/amd.c
+@@ -1265,10 +1265,10 @@ static void __threshold_remove_blocks(st
+ struct threshold_block *pos = NULL;
+ struct threshold_block *tmp = NULL;
+
+- kobject_del(b->kobj);
++ kobject_put(b->kobj);
+
+ list_for_each_entry_safe(pos, tmp, &b->blocks->miscj, miscj)
+- kobject_del(&pos->kobj);
++ kobject_put(b->kobj);
+ }
+
+ static void threshold_remove_bank(struct threshold_bank *bank)
projects / thirdparty / kernel / stable-queue.git / commitdiff
